Chinese hackers fail to rebuild botnet after FBI takedown

Chinese hackers fail to rebuild botnet after FBI takedown

February 7, 2024 at 10:27AM

Chinese Volt Typhoon hackers failed to revive a botnet previously used in U.S. infrastructure attacks, taken down by the FBI. After dismantling, FBI control prevented re-hijacking attempts, while Black Lotus Labs’ null-routing thwarted revival efforts. The hackers’ past breach targets included U.S. military organizations, telcos, and a European energy firm. CISA and the FBI advised SOHO router security against ongoing threats.

Based on the meeting notes, the key takeaways are:

1. The Volt Typhoon state hackers attempted to revive a botnet previously taken down by the FBI. The botnet was used in attacks targeting critical infrastructure across the United States, and the hackers utilized compromised small office/home offices (SOHO) to evade detection before the botnet’s takedown.

2. Following the FBI’s court-authorized dismantling of the botnet, the Volt Typhoon threat group attempted to rebuild it by hijacking vulnerable devices, such as Netgear ProSAFE routers, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras.

3. Lumen Technologies’ Black Lotus Labs team reported a large-scale attack on 3,045 devices, including NetGear ProSAFE routers, with 630 devices being infected. The threat actors made concentrated efforts to re-establish their command and control structure and re-exploit devices.

4. Despite the efforts, Black Lotus Labs thwarted the hackers’ attempts to revive the botnet by null-routing the attacker’s entire command-and-control and payload server fleet, indicating that the botnet is no longer effectively active.

5. The Volt Typhoon threat group has been breaching U.S. critical infrastructure since at least mid-2021 and has targeted organizations including U.S. military organizations, telecommunication and internet service providers, as well as a European renewable energy firm.

6. CISA and the FBI have urged SOHO router manufacturers to ensure their devices are secure against Volt Typhoon’s ongoing attacks by using secure configuration defaults and eliminating web management interface flaws during development.

These takeaways provide a comprehensive understanding of the recent activities and responses related to the Volt Typhoon threat group and the KV-botnet.

Full Article