January 31, 2024 at 12:50PM
The FBI disrupted the KV Botnet, used by Chinese state hackers to target U.S. critical infrastructure, by hijacking small home office devices, including routers and IP cameras. This enabled the hackers to evade detection and launch attacks. The FBI’s operation, authorized by a court order, cut off the compromised devices from the botnet and prevented further malicious activity. Vendors are urged to secure SOHO routers against ongoing attacks.
From the meeting notes, it is clear that the FBI has successfully disrupted the KV Botnet used by Chinese hacker group, Volt Typhoon, to target U.S. critical infrastructure. This botnet was used to hijack small office/home office devices across the United States in order to conduct malicious activities that blend within legitimate network traffic, thus evading detection.
The compromised devices included Netgear ProSAFE, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras. The FBI, in cooperation with partners, conducted an on-network operation authorized by a court order to shut down the botnet and prevent further malicious activity. This operation involved sending commands to the compromised devices to cut them off from the botnet and uninstalling the botnet VPN component.
It is also noted that the vast majority of compromised routers were Cisco and NetGear models that had reached ‘end of life’ status, making them vulnerable due to lack of manufacturer support and security patches.
Additionally, the FBI and CISA have urged SOHO router manufacturers to secure their devices against ongoing attacks, and recommended implementing security measures such as automating security updates and improving access controls.
The report also mentioned that the Volt Typhoon hackers have been targeting and breaching U.S. critical infrastructure organizations since mid-2021 and using the KV Botnet in attacks against a variety of organizations, including U.S. military, telecommunication and internet service providers, and a European renewable energy firm.
Reuters has reported the U.S. government’s successful disruption of the KV Botnet operation.