The U.S. government announced on Wednesday that it has taken significant action to disrupt a botnet composed of hundreds of small office and home office (SOHO) routers based in the United States. This botnet, referred to as the KV-botnet, is linked to Volt Typhoon, a state-sponsored threat actor associated with China. The government’s efforts aim to mitigate the potential impact of an ongoing hacking campaign attributed to this group.
The KV-botnet came to light following a disclosure from Lumen Technologies’ Black Lotus Labs in mid-December 2023, a situation subsequently reported by Reuters. The botnet primarily includes Cisco and NetGear routers that have reached their ‘end of life’ status, meaning they no longer receive security updates from the manufacturers. This vulnerability exploits the lack of support for these devices, rendering them susceptible to malicious activities.
Volt Typhoon, also known by several aliases such as DEV-0391 and Bronze Silhouette, has been implicated in cyber operations targeting critical infrastructure sectors in both the United States and Guam. Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), emphasized the extent of these attacks, indicating that such cyber actors are infiltrating essential systems to prepare for possible destructive cyber operations in times of crisis.
This cyber espionage group, which has been active since 2021, utilizes a variety of legitimate tools and techniques to remain undetected while prolonging its presence within victim environments. Their operations are often designed to blend seamlessly into normal network activity, leveraging compromised SOHO devices, including routers and firewalls. The KV-botnet serves as a clandestine communication channel for advanced persistent threat actors, indicating potential collaboration among different hacking groups, including Volt Typhoon.
A recent report from SecurityScorecard revealed that the KV-botnet compromised approximately 30% of end-of-life Cisco RV320 and RV325 routers over a span of just 37 days. The botnet operators are believed to significantly contribute their resources to other threat actors, enhancing their operational capabilities. Moreover, the KV-botnet has the capacity to install virtual private network (VPN) modules on the infected routers, establishing encrypted communication channels that further conceal their activities.
In an effort to dismantle this botnet, the FBI executed a court-authorized operation that involved issuing remote commands to the targeted routers, effectively erasing the malicious KV-botnet payload and disrupting any potential for re-infection. This initiative included notifying affected users either directly or through Internet service providers when contact details were unavailable. However, officials cautioned that the measures taken are temporary, meaning that merely rebooting these devices could expose them to re-infection.
FBI Director Christopher Wray underscored the gravity of the situation, noting that the Volt Typhoon malware facilitated the stealthy reconnaissance of critical infrastructure, including communications and energy sectors. In a counter to these allegations, the Chinese government has denied any involvement in cyberattacks, labeling them as part of an “information warfare” strategy.
In conjunction with these developments, CISA issued new recommendations urging SOHO device manufacturers to implement a security-by-design approach, thereby transferring the onus of security away from users. By addressing exploitable vulnerabilities in router management interfaces and enhancing device security defaults, manufacturers can better protect against such threats.
The exploitation of routers and other edge devices by advanced persistent threat entities underscores a growing cybersecurity challenge in which legacy equipment, often lacking necessary security patches and capabilities, remains in use. This situation exemplifies the critical need for robust security controls in product development, particularly given the current threat landscape, as emphasized by CISA.
This incident highlights a significant cybersecurity risk for U.S. businesses and emphasizes the importance of proactive measures to secure network infrastructures against similar threats. The use of tactics such as initial access through compromised devices and the exploitation of known vulnerabilities closely aligns with the MITRE ATT&CK framework, particularly in relation to persistent threat operations.
