Security News > 2024 > January > FBI disrupts Chinese botnet by wiping malware from infected routers
The FBI has disrupted the KV Botnet used by Chinese Volt Typhoon state hackers to evade detection during attacks targeting U.S. critical infrastructure.
Devices compromised and added to this botnet included Netgear ProSAFE, Cisco RV320s, and DrayTek Vigor routers, as well as Axis IP cameras, according to Lumen Technologies' Black Lotus Labs team, who first linked the malware to the Chinese threat group in December.
"The Volt Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors-steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous," said FBI Director Christopher Wray.
Once in, FBI agents sent commands to the compromised devices to cut them off from the botnet and prevent the Chinese hackers from reconnecting them to the malicious network.
"The vast majority of routers that comprised the KV Botnet were Cisco and NetGear routers that were vulnerable because they had reached 'end of life' status; that is, they were no longer supported through their manufacturer's security patches or other software updates," a Justice Department press release explains.
"The court-authorized operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet."
News URL
Related news
- Microsoft Warns of Chinese Botnet Exploiting Router Flaws for Credential Theft (source)
- Volt Typhoon rebuilds malware botnet following FBI disruption (source)
- Microsoft: Chinese hackers use Quad7 botnet to steal credentials (source)
- FBI Seeks Public Help to Identify Chinese Hackers Behind Global Cyber Intrusions (source)
- AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services (source)
- Botnet exploits GeoVision zero-day to install Mirai malware (source)
- Chinese hackers target Linux with new WolfsBane malware (source)