Security News > 2024 > January > FBI disrupts Chinese botnet by wiping malware from infected routers

FBI disrupts Chinese botnet by wiping malware from infected routers
2024-01-31 17:43

The FBI has disrupted the KV Botnet used by Chinese Volt Typhoon state hackers to evade detection during attacks targeting U.S. critical infrastructure.

Devices compromised and added to this botnet included Netgear ProSAFE, Cisco RV320s, and DrayTek Vigor routers, as well as Axis IP cameras, according to Lumen Technologies' Black Lotus Labs team, who first linked the malware to the Chinese threat group in December.

"The Volt Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors-steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous," said FBI Director Christopher Wray.

Once in, FBI agents sent commands to the compromised devices to cut them off from the botnet and prevent the Chinese hackers from reconnecting them to the malicious network.

"The vast majority of routers that comprised the KV Botnet were Cisco and NetGear routers that were vulnerable because they had reached 'end of life' status; that is, they were no longer supported through their manufacturer's security patches or other software updates," a Justice Department press release explains.

"The court-authorized operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet."

News URL