FBI Director Christopher Wray
FBI Director Christopher Wray testifies Jan. 31, 2024, before the House Select Committee on China. Image: YouTube

US confirms takedown of China-run botnet targeting home and office routers

The U.S. Justice Department confirmed on Wednesday that it disrupted a botnet run by a prolific Chinese government hacking operation known as Volt Typhoon.

News of the botnet takedown first emerged on Tuesday, when Reuters reported that the Justice Department and FBI got legal authorization from a U.S. court to remotely disable the tools implanted by Chinese government hackers in recent months. The Justice Department said it obtained a court order in December.

In a statement on Wednesday, the DOJ said Volt Typhoon had made a point of infecting privately owned home and office routers with the “KV Botnet” malware as a method of concealing other hacking activities conducted by the group — including the targeting of critical infrastructure.

“Working with our partners, the FBI ran a court authorized network operation to shut down Volt Typhoon and the access it enabled,” FBI Director Christopher Wray testified on Wednesday before the House Select Committee on China.

“This operation was an important step but there's a whole lot more to do and we need your help to do it.”

The DOJ tied the takedown to several advisories released by U.S. agencies and private sector cybersecurity firms throughout 2023 — when reports of concern about destructive, offensive Chinese government hacking campaigns in the U.S. first emerged.

In May 2023, Microsoft first reported Volt Typhoon campaigns targeting U.S. critical infrastructure in Guam, Hawaii and other areas surrounding U.S. military bases. Two weeks ago, another security company warned that Volt Typhoon, which overlaps with BRONZE SILHOETTE and TAG-87, was going after end-of-life Cisco routers and network devices in the U.S., U.K. and Australia as part of a larger campaign exploiting vulnerabilities from 2019.

“The Justice Department has disrupted a [China]-backed hacking group that attempted to target America’s critical infrastructure utilizing a botnet,” Attorney General Merrick Garland said on Wednesday. “The United States will continue to dismantle malicious cyber operations – including those sponsored by foreign governments – that undermine the security of the American people.”

The New York Times and Washington Post reported last summer that U.S. officials believed the campaign to be tied to preparatory efforts around a potential invasion of Taiwan, where Chinese officials would allegedly seek to slow down the U.S. deployment of forces.

Wray said in a statement on Wednesday that Chinese hackers are “targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict.”

“Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors. Their pre-positioning constitutes a potential real-world threat to our physical safety that the FBI is not going to tolerate,” Wray said.

“We are going to continue to work with our partners to hit the PRC hard and early whenever we see them threaten Americans.”

Wray said during the House hearing on Wednesday that the targeted routers were “very outdated, which made them easy targets for the Chinese government.”

The hackers, in turn, were utilizing them to “hide and obfuscate their role in the hacking of our critical infrastructure. And so that's why the point that was made about making sure that we're not creating an easier attack surface for them is so important.”

KV targets Cisco and Netgear

The DOJ said the KV Botnet campaign mostly targeted routers made by Cisco and NetGear — two of the most popular brands of routers sold to every-day consumers.

The Volt Typhoon hackers specifically targeted routers that had reached “end of life” status because they were no longer supported by their manufacturers — making them rife with unfixable vulnerabilities.

The December court order allowed DOJ and FBI officials to delete the KV Botnet malware from the routers and to sever their connection to the botnet. As a result of their actions, the infected router could no longer communicate with other devices controlling the botnet.

Appearing alongside Wray, CISA chief Jen Easterly testified that Chinese hackers are able to “live within a computer’s operating system” in a way that makes them difficult to identify.

“They’ve elevated their ability to act like a system administrator so you really can’t tell that’s a Chinese actor,” she told lawmakers.

The leaders of the House panel applauded the FBI’s action.

“Thank you for your proactive action with regard to disrupting remotely disabling this Volt Typhoon campaign,” Rep. Raja Krishnamoorthi (IL), the committee’s top Democrat, told Wray.

Speaking to reporters after the hearing, panel Chairman Mike Gallagher (R-WI) said he expects DOJ and FBI to go after malicious actors.

“We need to be aggressive,” he said.

The DOJ did not respond to requests for comment about how many routers were compromised as part of the botnet.

Other officials said the operation was intended to disrupt efforts of state-sponsored hackers to gain access to U.S. critical infrastructure that China would be able to leverage during a future crisis,

The FBI urged Americans to replace routers after their end-of-life expiration to “protect both their personal cyber security and the digital safety of the United States.”

In court documents, the Justice Department and FBI said it tested the operation out on Cisco and NetGear routers, making sure not to affect the legitimate functions of the tools. They noted that the steps taken to remove the routers from the botnet are temporary and can be reversed by owners by simply restarting the router.

Restarting the router without applying mitigation steps will “make the router vulnerable to reinfection,” they said.

The FBI said it has notified every infected router owner about the operation or notified the victim’s internet service provider if contact information is not available.

Notice of the operation came as the Cybersecurity and Infrastructure Security Agency (CISA) released an alert targeted at router manufacturers, urging them to adopt secure-by-design principles when designing routers.

The Chinese government denied any involvement in the campaign in comments to Reuters, arguing that it has “been categorical in opposing hacking attacks and the abuse of information technology,"

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Martin Matishak

Martin Matishak

is the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments across Capitol Hill, the Pentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group and Inside Washington Publishers.

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.