The FBI hindered the operations of the Chinese hacker gang Volt Typhoon yesterday. The U.S. security agency removed proactively these hackers’ KV Botnet malware on hundreds of Small business and Home Office (SOHO) routers. Potential future new infections were also prevented.
According to the FBI, the KV Botnet-infected routers of SMBs and SOHOs were mainly used by Chinese hackers to carry out attacks on critical infrastructure. The hackers had turned the affected devices into a large botnet with the malware. The botnet would include routers from Cisco and NETGEAR, among others. The security service indicated in its statement that the technique used was tested on SOHO routers from specifically these two manufacturers.
VPN module abuse
The KV Botnet, a VPN module, encrypts the traffic between the hackers and the affected devices. In this way, these could be used by hacker collective Volt Typhoon to connect to critical network environments in the US.
The hackers could then send the (malicious) traffic as coming from U.S.-based IP addresses and, therefore, be considered more reliable for the affected infrastructure environments than, for example, Chinese IP addresses.
Infected routers taken over by FBI
The FBI’s action was well prepared, in part by a subpoena from a U.S. judge. This subpoena allowed the security service to take over the compromised routers in question with a remote command to stop the KV Botnet.
In doing so, the command was also to cause the “target device” to stop operating as a VPN node, preventing hackers from gaining access through a VPN tunnel. The operation of the affected device would not be affected by this action not even when legitimate VPN services would be used.
The technology used here is likely a so-called loop-back mechanism. This prevents the devices from communicating with potential hackers. However, the FBI does indicate that rebooting the affected routers may cause them to become vulnerable again.
Preventing new attacks
According to the FBI, the proactive action will free hundreds of SOHO routers of infection. The exact number of the involved routers is not given. The FBI has now informed the ISPs of customers with routers that were part of the operation. These ISPs have yet to notify the affected end customers of the earlier infection of their routers.
This is not the first time the FBI has taken proactive action against hackers. A similar action has already been taken on Exchange servers in 2021. Among other things, to crack down on Chinese state-sponsored hacker gangs like Hafnium.
Also read: Hackers can expand Mirai botnet by at least 7,000 devices