FBI disrupts Chinese botnet used for targeting US critical infrastructure

The FBI has disrupted the KV botnet, used by People’s Republic of China (PRC) state-sponsored hackers (aka “Volt Typhoon”) to target US-based critical infrastructure organizations.

A botnet for probing critical infrastructure organizations

The threat actors used the KV botnet malware to hijack hundreds of US-based, privately-owned small office/home office (SOHO) routers and to hide their hacking activity towards “US and other foreign victims”.

“The Volt Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors—steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure,” said FBI director Christopher A. Wray.

Most of the devices infected with the KV botnet malware were Cisco and NetGear routers that have reached end-of-life, meaning that the vendors stopped providing patches and software updates.

The FBI operation

“The court-authorized operation deleted the KV botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet,” the US Department of Justice (DOJ) said in a press release published on Wednesday.

The operation, which took place in December 2023, did not affect the operability of the hacked routers, nor did it collect stored information.

“The court-authorized operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet,” the DOJ explained.

“A router’s owner can reverse these mitigation steps by restarting the router. However, a restart that is not accompanied by mitigation steps similar to those the court order authorized will make the router vulnerable to reinfection.”

The FBI has contacted some of the owners or operators of the SOHO routers that were infected with the KV Botnet malware to let them know about the actions taken. Others will be contacted by their internet service provider.

The larger picture

Also on Wednesday, the Select Committee on the Chinese Communist Party held a hearing on the cyber threats posed by the PRC to US security in times of conflict.

CISA Director Jen Easterly outlined how a PRC cyberattack leveraging this or similar botnets induce societal panic, by disrupting oil pipelines, downing telecommunications, derailing trains, causing potable water pollution, and so on.

“This is an attempt to provide the Chinese options in a conflict,” U.S. Cyber Command Commander General Paul Nakasone commented on CCP cyber intrusions. “This is not an episodic threat that we are going to face. This is persistent. (…) We have to have offensive and defensive capabilities.”

Botnet disruption

This is not the first time government agencies have carried out an operation to disrupt botnets.

In April 2022, for example, the FBI took down the Cyclops Blink botnet, believed to be operated by Russia-sponsored hackers.

A more recent operation took place in August 2023, when law enforcement agencies from several countries disrupted the Qakbot botnet by forcing bots to download an FBI-created module that disrupted their C&C communications and an additional program to uninstall the Qakbot malware.