A recent U.S. law enforcement operation in December took down a botnet of hundreds of routers that were being controlled by Chinese nation-state actors. These malicious activities have sparked concerns about potential destructive cyber attacks from China.
The Department of Justice (DOJ) revealed that a Chinese state-sponsored group called Volt Typhoon used hundreds of privately owned small office/home office (SOHO) routers in the United States infected with a botnet malware. This was done to disguise the origin of further hacking activities directed against U.S. and other foreign victims, primarily targeting entities in the critical infrastructure sector.
The operation, authorized by the courts, involved deleting the KV Botnet malware from the routers and taking additional steps to disconnect them from the botnet. The DOJ stated that the primary devices targeted were end-of-life Cisco and Netgear routers that were no longer receiving updates.
The takedown was led by the FBI Houston Field Office and Cyber Division, U.S. Attorney’s Office for the Southern District of Texas, and the National Security Cyber Section of the Justice Department’s National Security Division.
This disruption was first reported by Reuters, and it was found that U.S. agencies had been monitoring Volt Typhoon’s activities since mid-2021. Microsoft previously warned about the threat group’s targeting of critical infrastructure organizations in Guam and the U.S., and expressed concern that the group’s goals might have shifted towards capabilities that could disrupt critical communications infrastructure between the U.S. and Asia during future crises.
After the takedown of the KV botnet, CISA Director Jen Easterly testified about the threat posed by Chinese cyber activity before the House Select Committee on Strategic Competition Between the United States and the Chinese Communist Party. She expressed concerns about Chinese cyber actors burrowing deep into U.S. critical infrastructure with the intention to launch destructive cyber attacks in the event of a major crisis or conflict with the United States.
FBI Director Christopher Wray made similar remarks, highlighting the enormous risk Chinese hacking operations pose to U.S. civilian critical infrastructure, specifically enabling China to conduct reconnaissance and network exploitation against critical infrastructure in preparation for potential destruction or degradation.
Back in May, CISA published a cybersecurity advisory providing technical insights into Volt Typhoon and offered a resource guide with secure design recommendations for SOHO router manufacturers. Despite these concerns, Sandra Joyce, vice president of Mandiant Intelligence at Google Cloud, expressed confidence in the fight against Volt Typhoon.
In addition, CISA urged manufacturers to adjust default configurations to enable automatic updates and require manual overrides to change security settings on routers.
Sandra Joyce remains optimistic about the fight against Volt Typhoon and assures the public that they are adapting to improve collecting intelligence and thwart this actor.
Furthermore, in a statement shared with TechTarget Editorial, Sandra Joyce stated that “we see them coming, we know how to identify them, and most importantly, we know how to harden the networks they are targeting.”
As this situation develops, TechTarget Editorial reached out to the FBI for additional comment, and the information about the outcome of this cyber operation is developing.