Last Wednesday, the U.S. government said that it had decided to take some urgent actions to counteract a botnet. It comprises hundreds of SOHO router- small office & home office routers. All of them were U.S.-based. The matter of worry is that a China-linked state-sponsored threat actor known as Volt Typhoon blunt hijacked it during the Chinese hacking campaign.
The Black Lotus Labs team at Lumen Technologies disclosed the existence of the KV-botnet first in the mid of December 2023. Reuters reported each aspect regarding this law enforcement earlier this week.
In a Press Statement, the Department of Justice (DoJ) said that “Almost all of the routers comprised the KV-botnet were Cisco and NetGear routers were vulnerable because they had reached ‘end of life’ status; that is, they were no longer supported through their manufacturer’s security patches or other software updates.”
Volt Typhoon, famous as DEV-0391, Bronze Silhouette, Insidious Taurus, or Vanguard Panda is truly a moniker. It was assigned to a China-based adversarial collective. Further, it has been attributed to cyber-attacks. They targeted crucial infrastructure sectors in the United States and Guam.
It has been noted by CISA Director Jen Easterly that “ Chinese cyber actors, involving a group known as ‘Volt Typhoon,’ are burrowing deep into our critical infrastructure to be ready to launch hazardous cyber attacks during the major crisis or conflict with the United States.”
There is a belief regarding the cyber espionage group that it has been active since 2021. Surely, it is known for its dependence on legal tools as well as LOTL- living-off-the-land methodologies. All of them were related to flying under the radar and persisting within victim environments for an extended duration to collect confidential information.
One of the crucial aspects related to the cyber espionage group’s modus operandi is that it is making efforts to mix into normal network activity. To accomplish this task, it has to route traffic through SOHO network equipment. In addition to this equipment, it also involves routers, firewalls, and VPN hardware. The main purpose of doing this is to conceal their origins.
The KV botnet accomplishes this task. It steals devices from Cisco, DrayTek, Fortinet, and NETGEAR. The main objective of this task is to isolate the data transfer network only for the latest & uninterrupted threat actors.so, it is to be believed that the botnet operators provide with their extensive services to a few other Chinese hacking outfits. It includes the Volt Typhoon.
A report from cybersecurity firm SecurityScorecard broke the ice in January 2024 when it disclosed a few interesting facts. It lets the individuals know what caused the accountability of the botnet to compromise 30% — or 325 of 1,116 — of end-of-life Cisco RV320/325 routers during 37 days. The duration of this activity was from December 1, 2023, to January 7, 2024.
In the words of Lumen Black Lotus Labs, “Volt Typhoon is at least one user of the KV-botnet and […] this botnet encompasses a subset of their operational infrastructure and has been active since at least February 2022.”
One of the interesting facts is that the botnet is specifically designed to download a VPN module to all of the existing vulnerable routers. It allowed them to set up a truly encrypted communication channel directly. This way, they could achieve success in control over the botnet. Even they can utilize it as an intermediary relay node to obtain their operational objectives.
As per the U.S. Federal Bureau of Investigation’s affidavits, “One of the main functions of the KV-botnet is to transmit encrypted traffic between the infected SOHO routers, permitting the hackers to anonymize their activities (i.e., the hackers appear to be operating from the SOHO routers, versus their actual computers in China).”
SOHO router made its efforts to disrupt the botnet. Regarding this, the point of view of the agency is that it can issue commands remotely to target the available routers in the United States. For this, they will use the communication protocols of the malware. It enables them not only to delete the KV-botnet payload but also to prevent them from being re-infected. As per investigation by the FBI, all of the victims related to the operations will be identified via two modes. These modes are- directly or through the service provider in case of the unavailability of the information.
Later on, the DoJ added that “The court-authorized operation removed the KV-botnet malware from the routers. And, took additional steps to separate their connection to the botnet, involving blocking communications with other devices.”
In such circumstances, it has become too crucial to point out that undefined preventive measures are necessary to employ for several purposes. These aims involved- the removal of the routers from the botnet and rebooting it for its longevity. In the simplest terms, if you restart the devices it will enable you to prevent the susceptibility to re-infection.
As per the opinion of FBI Director Christopher Wray, “The Volt Typhoon malware enabled China to conceal, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors – steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure that ensures your safety and prosperity.”
In a statement given by the Chinese government that was later shared with a press agency. They said that there was no involvement in the attacks. The officials dismissed it as a “disinformation campaign.” Further, they concluded that they were opposed to Chinese hacking attacks and did not abuse information technology.
With the passage of time, new guidance published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). It indicated the urge to manufacture SOHO devices and embrace a secured design approach during development. Besides, it also slightly shifts the burden away from customers.
Especially, it has been recommended that manufacturers reduce all sorts of exploitable defects in SOHO routers. In addition to this, it also modified configurations related to the default device and supported automatic update capabilities. For this, they feel the high need for a manual override to eliminate security settings.
An interesting fact about edge devices reveals the latest persistent attacks conducted by Russia and China. Later on, it signifies the emerging issue related to the legacy devices that there are not any security patches. As well as they will not support EDR- endpoint identification and response solutions.
Lastly, as per the point of view of CISA, “The products that lack suitable security controls are unacceptable.” This case exemplifies how a lack of secure design practices can lead to real-world harm both to customers and, in this case, critical infrastructure of our nation.”