FBI shuts down Volt Typhoon botnet

The FBI has blocked a large scale hack by China’s Volt Typhoon group. The attack, comprising hundreds of hacked routers, was an attempt to inflict wide-ranging damage to US cyber infrastructure facilities, and was confirmed Christopher Wray, the FBI director on Wednesday.

The attackers found easy pickings in US-based small office/home office routers which allowed China’s government access to US data. Wray highlighted that the outdated Cisco and NetGear routers were “easy target” for the invaders.

Wray said in a statement, “Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors.”

The FBI infiltrated the attack and gathered important data before remotely removing the KV Botnet, according to the four warrants filed by the FBI in the Southern District Court of Texas, details of which have been recently released.

Agents gathered IP address and port numbers used by infected routers to connect with other nodes, alongside IP addresses and ports used by each node’s parent and data on the command and control nodes. According to the FBI, attackers installed VPNs to poorly secured routers and used these to control the botnet and hide their activities.

The court documents state, “A router that is not infected by the KV Botnet malware would not receive or respond to this command.”

Microsoft warned of the threat in May 2023 along with foreign agency partners in the Five Eyes group of nations, and stated that the group had been active since 2021 and was targeting US cyber infrastructure. A joint advisory was issued with a list of measures that companies could take to defend themselves against compromise by Volt Typhoon.  

The US Cybersecurity Agency and FBI issued another alert yesterday urging manufacturers to eliminate exploitable defects in SOHO router web management interfaces and adjust default device configuations to make these devices a harder target to compromise.