[ad_1]
A court-authorized operation in December 2023 disrupted a botnet of hundreds of US-based SOHO (small office/home office) routers hijacked by state-sponsored hackers from the People’s Republic of China (PRC).
The hackers, known in the private sector as “Volt Typhoon,” used privately owned SOHO routers infected with the “KV Botnet” malware to conceal the Chinese origin of other hacking activities targeting U.S. and foreign victims. These new hacking activities included a campaign targeting critical infrastructure organizations in the United States and elsewhere that was the subject of a survey in May 2023 by the FBI, the National Security Agency, the Cybersecurity and Infrastructure Security Agency (CISA ) and a foreign partner. advisory. The same activity has been the subject of advice to private sector partners in Can and December 2023, as well as an additional safe alert by design published today by CISA.
The vast majority of the routers that made up the KV Botnet were Cisco and NetGear routers that were vulnerable because they had reached “end of life” status; That is, they were no longer compatible with manufacturer security patches or other software updates. The court-authorized operation removed the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet.
“The Department of Justice has disrupted a hacking group backed by the People’s Republic of China that attempted to attack critical U.S. infrastructure using a botnet,” said Attorney General Merrick B. Garland. “The United States will continue to dismantle malicious cyber operations – including those sponsored by foreign governments – that undermine the security of the American people.”
“By removing the KV Botnet from hundreds of routers across the country, the Department of Justice is using all of its tools to disrupt national security threats, in real time,” said Deputy Attorney General Lisa O. Monaco. “Today’s announcement also highlights our critical partnership with the private sector: victim reporting is key to fighting cybercrime, from headquarters to our most critical infrastructure.”
“China’s hackers are targeting critical American civilian infrastructure and prepositioning themselves to cause real-world damage. to American citizens and communities in the event of conflict,” said FBI Director Christopher Wray. “The Volt Typhoon malware allowed China to hide while attacking our communications, energy, transportation and water sectors. Your prior positioning constitutes a potential real-world threat to our physical security that the FBI will not tolerate. “We will continue to work with our partners to hit the PRC hard and early whenever we see them threaten Americans.”
“Today, the FBI and our partners continue to strongly oppose PRC cyber actors that threaten our nation’s cybersecurity,” said FBI Deputy Director Paul Abbate. “We remain committed to thwarting malicious activity of this type and will continue to disrupt and dismantle cyber threats, safeguarding the fabric of our cyber infrastructure.”
“This operation disrupted the efforts of state-sponsored hackers from the People’s Republic of China to gain access to critical United States infrastructure that the People’s Republic of China could exploit during a future crisis,” said Deputy Attorney General Matthew G. Olsen of the Department of Justice’s National Security Division. “The operation, along with the release of valuable network defense guidance by the US government and private sector partners, demonstrates the Department of Justice’s commitment to improving cybersecurity and disrupting efforts to keep at risk our critical infrastructure.”
“Using traditional law enforcement tools to disrupt cutting-edge technologies, the United States Attorney’s Office for the Southern District of Texas protected Americans from PRC government-sponsored cybercriminals using routers based in the U.S. to hack U.S. targets,” said U.S. Attorney Alamdar S. Hamdani for the Southern District of Texas. “This case demonstrates my office’s continued commitment to defending our critical infrastructure from cyberattacks initiated by the People’s Republic of China. “We thank the FBI and the Department of Justice’s National Security Division for their work, and we will continue to work shoulder to shoulder with them to protect our country from state-sponsored hackers.”
“The FBI’s takedown of the KV Botnet sends a clear message that the FBI will take decisive action to protect our nation’s critical infrastructure from cyberattacks,” said Special Agent in Charge Douglas Williams of the FBI Field Office. In Houston. “By ensuring that home and small business routers are replaced after their useful life expires, everyday citizens can protect both their personal cybersecurity and the digital security of the United States. “We need the vigilance and support of the American public to continue our fight against malicious cyber actors sponsored by the People’s Republic of China.”
As described in court documents, the government extensively tested operation on corresponding Cisco and NetGear routers. The operation did not affect legitimate functions or collect content information from the hacked routers. Additionally, the court-authorized measures to disconnect KV Botnet routers and prevent reinfection are temporary in nature. A router owner can reverse these mitigation steps by restarting the router. However, a reboot that is not accompanied by mitigation measures similar to those authorized by the court order will leave the router vulnerable to reinfection.
The FBI is notifying all owners or operators of SOHO routers that were infected with the KV Botnet malware and accessed remotely pursuant to the operation of the court-authorized operation. For those victims whose contact information was not publicly available, the FBI has contacted providers (such as the victim’s Internet service provider) and asked them to notify victims.
The FBI’s Houston Field Office and Cyber Division, the U.S. Attorney’s Office for the Southern District of Texas, and the Department of Justice’s Homeland Security Division’s Homeland Security Cyber Section led the disruption effort. The Computer Crimes and Intellectual Property Section of the Criminal Division of the Department of Justice and the Office of International Affairs provided valuable assistance. These efforts would not have been successful without the collaboration of numerous private sector entities.
If you think you have a compromised router, visit the FBI Internet Crime Reporting Center either report online to CISA. Patched routers remain vulnerable to future exploitation by Volt Typhoon and other hackers, and the FBI strongly recommends router owners remove and replace any end-of-life SOHO routers currently on their networks. .
The FBI continues to investigate Volt Typhoon computer intrusion activity.
[ad_2]
Source link