China-Linked "KV-Botnet" Targeting SOHO Routers Shut Down by U.S. Federal Authorities

On Wednesday, the U.S. government announced measures to eliminate a botnet consisting of numerous small office and home office (SOHO) routers in the U.S. that were taken over by a state-affiliated threat actor known as Volt Typhoon. This was done to minimize the effects of the hacking campaign.

The Black Lotus Labs team at Lumen Technologies first revealed the presence of KV-botnet in mid-December 2023. According to Reuters, law enforcement has taken action against the Chinese hacking network targeting critical infrastructure, as reported earlier this week.

According to a press statement from the Department of Justice (DoJ), a large number of routers in the KV-botnet were susceptible to attacks because they were Cisco and NetGear brands that had reached their "end of life" status. This meant that their manufacturer no longer provided security patches or software updates. The DoJ stated this in a release.

The group known as Volt Typhoon (also known as DEV-0391, Bronze Silhouette, Insidious Taurus, or Vanguard Panda) is a China-based adversary group that has been identified as the culprit behind cyber attacks aimed at critical infrastructure sectors in the United States and Guam.

According to CISA Director Jen Easterly, Chinese cyber groups, particularly the 'Volt Typhoon' group, are infiltrating our vital infrastructure in preparation for launching harmful cyber assaults in case of a significant emergency or confrontation with the US.

The group engaged in cyber espionage, which has been operating since 2021, is recognized for its use of lawful tools and living-off-the-land (LotL) strategies to evade detection and remain undetected in targeted systems for prolonged periods in order to acquire confidential data.

One crucial element of its method of operation is its effort to integrate with regular network behavior by using compromised SOHO network devices like routers, firewalls, and VPN hardware to redirect traffic, in an effort to conceal its source.

The KV-botnet is utilized to achieve this goal. It takes control of devices made by Cisco, DrayTek, Fortinet, and NETGEAR to create a hidden network for advanced persistent threat actors. It is believed that the operators of this botnet also offer their services to other hacking groups, such as Volt Typhoon.

A cybersecurity firm, SecurityScorecard, released a report in January 2024 which disclosed that a botnet was accountable for infiltrating 30% of end-of-life Cisco RV320/325 routers, specifically 325 out of 1,116, within a span of 37 days from December 1, 2023 to January 7, 2024. This information was reported by in their article titled "China-Backed Hackers Hijack Software" (

According to Lumen Black Lotus Labs, the KV-botnet has been utilized by Volt Typhoon and is a part of their operational infrastructure. The botnet has been in operation since at least February 2022.

The purpose of the botnet is to install a VPN module onto routers that have security vulnerabilities. This allows for a direct and encrypted communication channel to be established in order to control the botnet and utilize it as a relay node to fulfill their operational objectives.

As stated in affidavits submitted by the U.S. Federal Bureau of Investigation (FBI), the KV-botnet has the capability of transferring encrypted data between the compromised SOHO routers. This enables the hackers to conceal their actions by making it seem like they are operating from the SOHO routers instead of their real computers located in China.

In an attempt to disrupt the botnet, the agency reported that it remotely sent commands to U.S. routers, utilizing the malware's communication protocols, in order to remove the KV-botnet payload and prevent future infections. The FBI also made sure to inform all victims of the operation, either directly or through their internet service provider if contact information was not accessible.

According to the DoJ, the authorized court operation removed the KV-botnet malware from the routers and also took measures to cut off their link to the botnet. This included blocking communication with other devices that were being used to manage the botnet.

It is crucial to mention that the unmentioned steps taken to eliminate the routers from the botnet are only temporary and will not withstand a system restart. In simpler terms, if the devices are restarted, they will become vulnerable to being infected again.

According to FBI Director Christopher Wray, the Volt Typhoon malware allowed China to conceal their pre-operational reconnaissance and network exploitation activities aimed at critical infrastructure such as communication, energy, transportation, and water sectors. These actions reveal China's intention to locate and potentially damage the civilian critical infrastructure that plays a crucial role in ensuring our safety and prosperity.

According to a statement released to Reuters, the Chinese government refutes any involvement in the attacks and claims it is a "disinformation campaign". They have also consistently opposed hacking attacks and the misuse of information technology.

Alongside the takedown, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released updated guidance advising manufacturers of SOHO devices to prioritize a "secure by design" approach during the development process, relieving customers of the responsibility. The guidance can be found at

The recommendation is for manufacturers to remove potential vulnerabilities in SOHO router web management interfaces and adjust default device settings to enable automatic updates. A manual override should be required to remove any security settings.

The issue of edge devices, such as routers, being compromised for the purpose of conducting advanced persistent attacks by both Russia and China, brings attention to a developing problem. This is further complicated by the fact that older devices no longer receive security updates and are not compatible with endpoint detection and response (EDR) systems.

In light of the current threat landscape, CISA asserted that it is unacceptable to develop products without proper security measures. The agency emphasized the consequences of neglecting secure design practices, highlighting the potential harm to customers and the nation's critical infrastructure, as demonstrated in this particular incident.

The structure of the text has been altered in order to eliminate any possibility of plagiarism while still maintaining the original meaning and context. The markdown formatting has been preserved.

Next Post »