Volt Typhoon-Linked SOHO Botnet Infects Multiple US Gov't Entities

Researchers have discovered an Internet of Things (IoT) botnet linked with attacks against multiple US government and communications organizations.

The "KV-Botnet," revealed in a report from Lumen's Black Lotus Labs, is designed to infect small-office home-office (SOHO) network devices developed by at least four different vendors. It comes built with a series of stealth mechanisms and the ability to spread further into local area networks (LANs).

One notable subscriber is the Volt Typhoon advanced persistent threat (aka Bronze Silhouette), the headline-grabbing Chinese state-aligned threat actor known for attacks against US critical infrastructure. The platform appears to have been involved in previously reported Volt Typhoon campaigns against two telecommunications firms, an Internet service provider (ISP), and a US government organization based in Guam. It only represents a portion of Volt Typhoon's infrastructure, though, and there are almost certainly other threat actors also using it.

Inside the KV-Botnet

Since at least February 2022, KV-Botnet has primarily infected SOHO routers including the Cisco RV320, DrayTek Vigor, and Netgear ProSafe product lines. As of mid-November, it expanded to exploit IP cameras developed by Axis Communications.

Administered from IP addresses located in China, the botnet can be broadly split into two groups: the "KY" cluster, involving manual attacks against high-value targets, and the "JDY" cluster, involving broader targeting and less sophisticated techniques.

Most KV-Botnet infections so far appear to fall into the latter cluster. With that said, the botnet has brushed up against a number of previously undisclosed high-profile organizations, including a judicial institution, a satellite network provider, and military entities from the US, as well as a renewable energy company based in Europe.

The program is perhaps most notable for its advanced, layered stealth. It resides completely in memory (although, on the flip side, this means it can be booted with a simple device restart). It checks for and terminates a series of processes and security tools running on the infected device, runs under the name of a random file already on the device, and generates random ports for command-and-control (C2) communication, all in an effort to avoid detection.

Its best stealth perks, though, are inherent to the devices it infects in the first place.

The Benefit of a SOHO Botnet

While outing the group in May, Microsoft researchers made note of how Volt Typhoon proxied all of its malicious traffic through SOHO network edge devices — firewalls, routers, VPN hardware. One reason might be the fact that residential devices are particularly useful for concealing malicious traffic, explains Jasson Casey, CEO of Beyond Identity.

"Most of the Internet that is dedicated to infrastructure providers (AT&T, Amazon AWS, Microsoft, etc.) and enterprises is well known and registered," he says. "Given this, it's expected that most traffic should originate from a residential address, not an infrastructure or enterprise address. Because of this, many security tools will flag traffic as suspicious if it does not originate from a residential IP address."

Beyond that, he adds, "residential equipment represents a relatively risk-free asset to operate from since it's often not configured securely (e.g., not changing the default password) or regularly updated, which makes it easier to compromise. Additionally, home administrators almost never monitor their equipment, or could even understand what compromise looks like."

The relatively high bandwidth of SOHO equipment, compared with their typical workload, means that even a malicious botnet creates little impact observable by the average user. The Lumen researchers noted a number of other benefits, too, like the high ratio of end-of-life devices still operating in a vulnerable state every day, and how such devices allow attackers to bypass geofencing restrictions.

No functions within the KV-Botnet binary are designed to cause further infections in targets' broader local area networks (LANs). However, the researchers noted, the botnet enables attackers to deploy a reverse shell to infected devices, paving the way for arbitrary commands and code execution, or retrieving further malware for attacking the LAN.

"Given these devices are easier to compromise, harder to filter against, and less likely to get monitored or investigated, they represent a prime asset to operate from as a threat actor," Casey concludes.