China’s Volt Typhoon attackers used “hundreds” of outdated Cisco and NetGear routers infected with malware in an attempt to break into US critical infrastructure facilities, according to the Justice Department.
On Tuesday news broke that the Feds had blocked the malicious network that was set up on end-of-life, US-based small office/home office routers. Now more details have come out about how an FBI team infiltrated the attack and harvested the key data before remotely wiping the KV Botnet, according to four warrants (5018, 5530, 5451 and 5432) filed by the FBI in the Southern District Court of Texas last month and released today.
“China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict,” FBI Director Christopher Wray said in a statement. “Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors.”
The Feds claim the Middle Kingdom keyboard warriors downloaded a virtual private network module to the vulnerable routers and set up an encrypted communication channel to control the botnet and hide their illegal activities. Specifically: Volt Typhoon used the US-based routers and IP addresses to target US critical infrastructure, we’re told.
The warrants allowed law enforcement to remotely install software on the routers to search for, and then seize or copy, information about the illicit activity before wiping the malware from the compromised devices.
To do this — and to limit the cops’ search to routers infected with the botnet — the FBI sent specific KV Botnet commands to compromised routers to collect “non-content information about those nodes,” according to the warrants.
This includes the IP address, port numbers used by infected routers to communicate with other nodes, as well as IP addresses and ports used by each node’s parent, and data on the command-and-control nodes.
“A router that is not infected by the KV Botnet malware would not receive or respond to this command,” court documents claim.
The Feds, along with foreign agency partners in Five Eyes nations, first warned about this threat in May 2023.
Also today, the US Cybersecurity Agency and FBI issued an alert urging manufacturers to eliminate defects in SOHO router web management interfaces. This, according to the agencies, includes automating update capabilities, locating the web management interface on LAN-side ports, and requiring a manual override to remove security settings. ®