Connect with us

Hi, what are you looking for?



Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet 

Malware hunters have set eyes on an impossible to kill botnet packed with end-of-life SOHO routers and linked it to a Chinese APT targeting US critical infrastructure.

Chinese cyber threats

Malware hunters in the United States have set eyes on an impossible to kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting US critical infrastructure.

The discovery of the botnet, which is packed with outdated Cisco, Netgear and Fortinet devices, adds a new twist to the scramble to mitigate the damage from Volt Typhoon infections first spotted at critical infrastructure organizations in Guam, a U.S. territory in the Pacific Ocean.

Volt Typhoon, flagged by Microsoft and US government officials as a Chinese APT showcasing the ability to disrupt critical communications infrastructure, has burrowed deep into thousands of organizations spanning communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and the education sectors. 

According to new research from Black Lotus Labs (the threat-intel arm of Lumen Technologies) the Chinese hackers have seized control of hundreds of old, outdated routers and set up a Tor-like covert data transfer network to perform malicious operations.

In an interview with SecurityWeek, Black Lotus Labs researcher Danny Adamitis said the collection of hijacked routers (called KV-botnet based on artifacts in the malware), features a complex infection process and a well concealed command-and-control framework. 

Adamitis said botnet is made up primarily of end-of-life products that are vulnerable to critical security issues. Vendors have stopped shipping security patches for these devices, meaning they will remain unpatched.

“The only solution is to rip and replace these things,” Adamitis said, noting that his team has found Cisco RV320s, DrayTek Vigor routers and Netgear ProSAFEs devices. 

In a sign that the hacking group may be preparing for a new wave of attacks over the holidays, Adamitis said hijacked Axis IP cameras have been added to the botnet amidst a remodeling of the infrastructure of the botnet. 

Advertisement. Scroll to continue reading.

“Taking note of the structural changes, targeting of new device types like IP cameras, and mass exploitation in early December, we suspect this could be a precursor to  increased activity during the holiday season,” the company warned in a report to be released Wednesday.

Adamitis said Black Lotus Labs will be releasing the malware and related artifacts publicly to help organizations mitigate the threat and plan for upcoming attacks. 

The company also released a detailed technical analysis of the intricacies of the botnet and multiple data points with evidence of links to Volt Typhoon.  Adamitis also called special attention to hands-on-keyboard manual operations and clever steps to avoid security software and stay below the radar.

“We assess that this trend of utilizing compromised firewalls and routers will continue to emerge as a core component of threat actor operations, both to enable access to high-profile victims  and to establish covert infrastructure,” Black Lotus Labs warned, noting that end-of-life routers are still widely deployed at major organizations around the world.

“While we would classify the majority of the KV infections  as opportunistic; this cluster infected SOHO devices associated with a handful of high value networks. Examples include a US judicial organization and a US organization that manages a satellite-based network,” according to the report.

“There is a large supply of vastly out-of-date and generally considered end-of-life edge devices on the internet, no longer eligible to receive patches. Additionally, because these models are  associated with home and small business users, it’s likely many targets lack the resources and  expertise to monitor or detect malicious activity and perform forensics,” Adamitis said.

He noted that the hijacked router models are all able to handle medium-to-large data bandwidth, meaning there is likely no noticeable impact to the legitimate users.

Black Lotus Labs is urging network defenders to look closely for large data transfers out of the network, even if the destination IP address is physically located in the same geographical area.  

Related: Mandiant Intelligence Chief Raises Alarm for ‘Volt Typhoon’ in US Critical Infrastructure

Related: Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure

Related: Fortinet Warns Customers of Possible Zero-Day Exploited in Limited Attacks 

Related: AWS Using MadPot Decoy System to Disrupt APTs, Botnets

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...