The United States continues to grapple with cyber intrusions emanating from sophisticated hacking groups affiliated with the Chinese government.
In December 2023, the U.S. government conducted an extensive operation to disrupt a Chinese state-sponsored botnet that was being used to conceal attacks against American critical infrastructure organizations, the Justice Department announced this week.
The botnet, known as the KV Botnet, was comprised of hundreds of compromised small office and home office (SOHO) routers located in the United States. It was controlled by a prolific Chinese hacking group tracked as Volt Typhoon. The attackers used the network of infected routers to disguise further intrusion attempts into utilities, communications firms, and other critical sectors.
Armed with court authorization, the FBI gained access to the botnet's command and control infrastructure in early December. Agents proceeded to send commands to infected routers to uninstall malware, sever connections to the botnet, and block further malicious communications. The operation successfully freed a large number of victim devices from Volt Typhoon's grip and dealt a blow to the hackers' operational capabilities.
Authorities said the majority of the hijacked routers were end-of-life Cisco and Netgear models no longer supported by security updates. The vulnerability of these outdated devices allowed the hackers to easily compromise them by the thousands. The Justice Department strongly advised SOHO owners to replace aging routers still deployed in homes and offices across the country.
In testimony before U.S. Congress on January 31, federal officials warned that Chinese state-sponsored groups have stepped up network intrusion efforts against Western critical infrastructure, both for espionage and to enable potential disruptive attacks.
Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), testified: "We see Chinese cyber actors... burrowing deep into our critical infrastructure to enable destructive attacks in the event of a major crisis or conflict... all to ensure that they can incite societal panic and chaos and to deter our ability to marshal military might and civilian will."
The FBI disclosed that Volt Typhoon has been exploiting devices to map out targets that would cripple the U.S. in case of a regional conflict. While the recent operation stripped the hackers of a valuable tool, the threat posed by Chinese cyber operators persists.
"China's hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict," said FBI Director Christopher Wray. "Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors. Their pre-positioning constitutes a potential real-world threat to our physical safety that the FBI is not going to tolerate."
According to Colonel Cedric Leighton, U.S. Air Force (Ret.) and CNN military analyst, "One of the things that they [Volt Typhoon] did was they attacked critical infrastructure, telecommunications supply chain efforts, all kinds of things dealing with utilities, and that is one of their key elements."
"It was an effort, basically, to use these networks in a way to leverage them and to use the information that they gain to not only map out the network, but also to determine its vulnerabilities and then potentially use those vulnerabilities in case something happened where China would actually have to engage U.S. forces in a hostile way," Leighton said.
Investigations into Volt Typhoon's extensive infrastructure hacking campaign remain ongoing.
The FBI's highly technical mission demonstrates the U.S. government's increasing ability and willingness to take offensive actions in cyberspace against foreign adversaries. American intelligence leaders have named Chinese cyber operations as one of the most serious threats facing the nation. Thwarting the Volt Typhoon botnet marks one of the most public moves yet to counter Chinese aggression in the digital domain.
[RELATED: Hear more from Col. Leighton in his recent cyber intel briefing with SecureWorld; the webcast is available on-demand here.]
Follow SecureWorld News for more stories related to cybersecurity.