The US government announced that it had disrupted the threat actor Volt Typhoon's botnet, which it used to attack critical infrastructure in the United States and other countries.
An operation authorized by the American judiciary in December 2023 destroyed a botnet of hundreds of US-based small office/home office (SOHO) routers hijacked by state-sponsored hackers from the People's Republic of China (PRC).
Volt Typhoon attacked critical infrastructure
The hackers, known in the private sector as “Volt Typhoon,” used private SOHO routers infected with the “KV Botnet” malware to trace the origin of additional hacking activities against U.S. and other foreign victims from the People’s Republic to obscure China. These additional hacking activities included a campaign against critical infrastructure organizations in the United States and elsewhere around the world. In May 2023, these attacks became the subject of a notice from the FBI, the National Security Agency, the Cybersecurity and Infrastructure Security Agency (CISA), and foreign partners. This same activity was the subject of advisories to private sector partners in May and December 2023, as well as an additional Secure by Design alert issued by CISA today.
“The FBI’s dismantling of the KV botnet is a clear signal that the FBI will take decisive action to protect our nation’s critical infrastructure from cyberattacks,” said Special Agent in Charge Douglas Williams of the FBI’s Houston Field Office. “By ensuring that home and small business routers are replaced at the end of their lifespan, everyday citizens can protect both their personal cybersecurity and the digital security of the United States.”
Comment from Google Mandiant
“Volt Typhoon is focused on targeting critical infrastructure (KTITIS), such as water treatment plants, power grids, etc. By flying under the radar, the actor works hard to reduce traces that allow us to track their activities across the networks. The group uses compromised systems to gain surreptitious access to normal network activity, constantly changing the source of its activity. It avoids using malware as it could raise an alarm and give us something tangible. Tracking such activities is extremely difficult, but not impossible. Mandiant and Google are focused on staying ahead of the game, working closely with customers and partners.
Russia is also looking for the loopholes
This is not the first time that critical US infrastructure has been attacked in this way. On several occasions, Russian intelligence actors were discovered in the midst of similar operations that were eventually exposed. Such operations are dangerous and demanding, but not impossible.
The purpose of Volt Typhoon was to prepare for a contingency without being noticed. Fortunately, Volt Typhoon has not gone unnoticed, and while the hunt is challenging, we are adapting to improve intelligence gathering and thwart this actor. We anticipate their moves, we know how to identify them, and most importantly, we know how to harden the networks they target.” – Sandra Joyce, VP, Mandiant Intelligence – Google Cloud.
More at Justice.gov