The US government on Wednesday announced a major takedown of a botnet full of end-of-life Cisco and Netgear routers after researchers warned it was being used by Chinese state-backed hackers as a covert communications channel.
The disruption comes less than two months after researchers at Lumen Technologies linked the hijacked routers to Volt Typhoon, a known Chinese APT previously caught targeting US critical infrastructure.
Volt Typhoon, flagged by Microsoft and US government officials as a Chinese hacking group with the ability to disrupt critical infrastructure, has burrowed deep into thousands of organizations spanning communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and the education sectors.
According to the Justice Department, a court-authorized operation cleared the way for the FBI to remotely seize control of hundreds of infected routers and send instructions to delete malware and change settings used for malware communications.
“The vast majority of routers that comprised the KV Botnet were Cisco and NetGear routers that were vulnerable because they had reached “end of life” status; that is, they were no longer supported through their manufacturer’s security patches or other software updates,” the Justice Department said.
The FBI used the botnet’s own command-and-control communication mechanism to remotely delete the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet.
The government released court documents to show how it extensively tested the operation on relevant Cisco and NetGear routers to avoid impacting the legitimate functions of, or collect content information from, hacked routers.
“Additionally, the court-authorized steps to disconnect the routers from the KV Botnet and prevent reinfection are temporary in nature,” the Justice Department said, noting that an owner can reverse these mitigation steps by restarting the router.
“However, a restart that is not accompanied by mitigation steps similar to those the court order authorized will make the router vulnerable to reinfection,” it warned.
The FBI said it is notifying all owners or operators of SOHO routers that were remotely accessed in the takedown operation.
Last December, researchers warned that the router botnet was packed with outdated Cisco, Netgear and Fortinet devices acting as a Tor-like covert data transfer network to perform malicious operations.
In an interview with SecurityWeek, Black Lotus Labs researcher Danny Adamitis said KV Botner features a complex infection process and a well concealed command-and-control framework.
Adamitis said botnet is made up primarily of end-of-life products that are vulnerable to critical security issues. Vendors have stopped shipping security patches for these devices, meaning they will remain unpatched.
“The only solution is to rip and replace these things,” Adamitis said, noting that his team has found Cisco RV320s, DrayTek Vigor routers and Netgear ProSAFEs devices.
Related: Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet
Related: Mandiant Raises Alarm for ‘Volt Typhoon’ Hacking Group
Related: Microsoft Catches Chinese .Gov Hackers in US Critical Infrastructure
Related: Fortinet Warns of Possible Zero-Day Exploited in Limited Attacks
Related: AWS Using MadPot Decoy System to Disrupt APTs, Botnets