Skip to content

US authorities removed the Chinese KV botnet from SOHO routers

  • by
  • 3 min read

In a court-authorised operation in December 2023, US authorities disrupted a Chinese KV botnet, compromising hundreds of small office/home office (SOHO) routers based in the United States. This attack was part of the Volt Typhoon hacking group’s extensive cyber campaign.

The campaign targeted critical infrastructure organisations in the US and other countries. In May 2023, the FBI and National Security Agency (CISA) and other participating nations, including Canada, Australia, New Zealand, and the United Kingdom, released a joint advisory regarding this issue.

The FBI applied for a search warrant on January 9 to “identify a list of US-based routers infected with the malware.”

The affidavit also declared that the agency believes that the hackers modified the data on each router and leveraged pre-existing functionalities (including memory and ports) for the hackers’ purpose. The hackers then use the affected routers for additional computer crimes.

The operation targeted the removal of the KV botnet from routers, predominantly Cisco and NetGear. These routers were vulnerable due to the lack of manufacturer support, leaving them without essential security patches and software updates. The operation also eliminated the connection between the routers and the botnet, blocking communications with other devices controlling the malicious network.

This is an image of chinese flag
China has always been accused of harbouring state-sponsored threat actors that target rival countries.

“In wiping out the KV Botnet from hundreds of routers nationwide, the Department of Justice is using all its tools to disrupt national security threats – in real-time,” said Deputy Attorney General Lisa O. Monaco.

While the court-authorised operation did not impact the legitimate functions of the compromised routers, it provided temporary mitigation against reinfection. The agencies are the router owners and must follow the steps outlined in the court order to prevent vulnerability to future attacks.

The specific routers were selected because they have reached end-of-life, meaning the manufacturers no longer release patches or software updates.

The FBI is notifying owners and operators of SOHO routers affected by the KV botnet, asking them to replace vulnerable routers and report any further compromises to the FBI’s Internet Crime Complaint Center.

In August 2023, Chinese state-sponsored threat actor Flax Typhoon was accused of targeting Taiwan.

In the News: OpenAI says ChatGPT poses negligible biosecurity risk

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of cloudflare featured office san fran 1

Fix: Cloudflare captcha not working

This is an image of salt featured la2

How to make Salt in Little Alchemy 2?

This is an image of firewall featured la2

How to make Firewall in Little Alchemy 2?

How to use tiktok’s hidden emojis

How to Use TikTok’s Hidden Emojis

Tech behind realistic prop money

The Tech Behind Realistic Prop Money: Printing, Materials & Anti-Fraud Measures

This is an image of dinosaur featured la2

How to make a Dinosaur in Little Alchemy 2?

>