US: China’s Hackers Hijack Small Routers to Reach Big Targets

News

The United States announced the disruption of a botnet made of hundreds of U.S.-based small office or home office (SOHO) routers that were hijacked by state-sponsored hackers from the People’s Republic of China (PRC) in order to be used to attack U.S. infrastructure.

February 2, 2024

“The hackers, known to the private sector as ‘Volt Typhoon,’ used privately-owned SOHO routers infected with the ‘KV Botnet’ malware to conceal the PRC origin of further hacking activities directed against U.S. and other foreign victims,” the U.S. Department of Justice said Wednesday in a statement.

Attorney General Merrick B. Garland stressed that the Justice Department has thwarted a China-supported hacking group that sought to target “America's critical infrastructure” using a botnet.

That campaign had been the focus of a joint advisory issued in May 2023 by the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and international partners, according to the statement.

The Justice Department explained that the majority of routers in the KV Botnet were Cisco and NetGear routers, which were vulnerable due to reaching the ‘end-of-life’ status – meaning that they were no longer supported with security patches or other software updates from their manufacturers.

The operation authorized by the court involved removing the KV Botnet malware from the routers and disconnecting them by blocking communications with other devices responsible for controlling the botnet.

The statement referred to court documents, stating that the government extensively tested the operation on the relevant Cisco and NetGear routers without affecting their legitimate functions or collecting content information from the compromised routers.

However, authorities cautioned that the remediated routers remain susceptible to future attacks by Volt Typhoon and other hackers. They strongly recommended that owners of end-of-life SOHO routers in their networks replace them.

“China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict,” said FBI Director Christopher Wray.

He emphasized that the Volt Typhoon malware allowed China to conceal its activities while targeting the U.S. communications, energy, transportation, and water sectors.

“Their pre-positioning constitutes a potential real-world threat to our physical safety that the FBI is not going to tolerate. We are going to continue to work with our partners to hit the PRC hard and early whenever we see them threaten Americans,” said Wray.

The 2023 Annual Threat Assessment of the U.S. Intelligence Community cautioned that China likely poses the most extensive, active, and enduring cyber espionage threat to both U.S. government and private-sector networks.

The report emphasized that China’s cyber activities and the export of related technologies by its industry heighten the risks of aggressive cyber operations against the U.S. homeland.

“China almost certainly is capable of launching cyber attacks that could disrupt critical infrastructure services within the U.S., including against oil and gas pipelines, and rail systems,” warned the document.

The FBI’s investigation into Volt Typhoon’s computer intrusion activity continues, as indicated by the Justice Department.