Feds Confirm Remote Killing of Volt Typhoon's SOHO Botnet

The China-backed APT was using the botnet, made up of mostly end-of-life, patchless routers from Cisco and Netgear, to set up shop inside US critical infrastructure.

Businessman in dark suit and red tie holding sharp knife. Stylish Assassin and Horror Film Killer.
Source: Jeremy Walter via Alamy Stock Photo

US law enforcement has disrupted the infrastructure of the notorious China-sponsored cyberattack group known as Volt Typhoon.

The advanced persistent threat (APT), which FBI Director Christopher Wray said this week is "the defining cyber-threat of this era," is known for managing a sprawling botnet created by compromising poorly protected small office/home office (SOHO) routers. The state-backed group uses it as a launchpad for other attacks, particularly on US critical infrastructure, because the botnet’s distributed nature makes the activity hard to trace.

After the Volt Typhoon takedown was reported by Reuters earlier this week, US officials confirmed the enforcement action late yesterday. The FBI mimicked the attacker’s command-and-control (C2) network to send a remote kill switch to routers infected by the “KV Botnet” malware used by the group, it announced.

“The court-authorized operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet,” according to the FBI’s statement.

It added that "the vast majority of routers that comprised the KV Botnet were Cisco and Netgear routers that were vulnerable because they had reached 'end of life' status; that is, they were no longer supported through their manufacturer’s security patches or other software updates."

While silently reaching into the edge gear owned by hundreds of small businesses might seem alarming, the Feds stressed that it accessed no information and affected no legitimate functions of the routers. And, router owners can clear the mitigations by restarting the devices — though this would make them susceptible to reinfection.

Volt Typhoon's Industrial Rampage Will Continue

Volt Typhoon (aka Bronze Silhouette and Vanguard Panda) is part of a broader Chinese effort to infiltrate utilities, energy-sector companies, military bases, telecom companies, and industrial sites in order to plant foothold malware, in preparation for disruptive and destructive attacks down the line. The goal is to be in position to damage the US ability to respond in the event a kinetic war kicks off over Taiwan or trade issues in the South China Sea, Wray and other officials warned this week.

It's a growing departure from China’s usual hack-and-spy operations. "Cyber warfare focusing on critical services such as utilities and water indicate a different endgame [than cyber espionage]," says Austin Berglas, global head of professional services at BlueVoyant and a former FBI cyber division special agent. "No longer is the focus on advantage, but on damage and strongholds."

Given that router restarts open the devices to reinfection, and the fact that Volt Typhoon certainly has other ways to launch stealthy attacks against its critical infrastructure quarry, the legal action is bound to be a only temporary disruption for the APT — a fact that even the FBI acknowledged in its statement.

"The actions by the US government have likely significantly disrupted Volt Typhoon's infrastructure, but the attackers themselves remain free," Toby Lewis, global head of threat analysis at Darktrace, said via email. “Targeting infrastructure and dismantling attacker capabilities usually leads to a period of quiet from the actors where they rebuild and retool, which we're probably going to see now."

Even so, the good news is that the US is "onto" China’s strategy and tactics now, says Sandra Joyce, vice president of Mandiant Intelligence — Google Cloud, which worked with the Feds on the disruption. She says that in addition to using a distributed botnet to constantly shift the source of their activity to stay under the radar, Volt Typhoon also reduces the signatures that defenders use to hunt them across networks, and they avoid the use of any binaries that might stand out as indicators of compromise (IoCs).  

Still, "activity like this is extremely challenging to track, but not impossible," Joyce says. "Volt Typhoon’s purpose was to dig in quietly for a contingency without drawing attention to itself. Fortunately, Volt Typhoon has not gone unnoticed, and even though the hunt is challenging, we are already adapting to improve collecting intelligence and thwart this actor. We see them coming, we know how to identify them, and most importantly we know how to harden the networks they are targeting."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights