Connect with us

Hi, what are you looking for?



US Gov Disrupts SOHO Router Botnet Used by Chinese APT Volt Typhoon

The US government neutralizes a botnet full of end-of-life Cisco and Netgear routers being by a notorious Chinese APT group.

Cisco CVE-2023-20198 exploited

The US government on Wednesday announced a major takedown of a botnet full of end-of-life Cisco and Netgear routers after researchers warned it was being used by Chinese state-backed hackers as a covert communications channel.

The disruption comes less than two months after researchers at Lumen Technologies linked the hijacked routers to Volt Typhoon, a known Chinese APT previously caught targeting US critical infrastructure.

Volt Typhoon, flagged by Microsoft and US government officials as a Chinese hacking group with the ability to disrupt critical infrastructure, has burrowed deep into thousands of organizations spanning communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and the education sectors. 

According to the Justice Department, a court-authorized operation cleared the way for the FBI to remotely seize control of hundreds of infected routers and send instructions to delete malware and change settings used for malware communications. 

“The vast majority of routers that comprised the KV Botnet were Cisco and NetGear routers that were vulnerable because they had reached “end of life” status; that is, they were no longer supported through their manufacturer’s security patches or other software updates,” the Justice Department said.

The FBI used the botnet’s own command-and-control communication mechanism to remotely delete the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet.

The government released court documents to show how it extensively tested the operation on relevant Cisco and NetGear routers to avoid impacting the legitimate functions of, or collect content information from, hacked routers. 

“Additionally, the court-authorized steps to disconnect the routers from the KV Botnet and prevent reinfection are temporary in nature,” the Justice Department said, noting that an owner can reverse these mitigation steps by restarting the router.

Advertisement. Scroll to continue reading.

“However, a restart that is not accompanied by mitigation steps similar to those the court order authorized will make the router vulnerable to reinfection,” it warned.

The FBI said it is notifying all owners or operators of SOHO routers that were remotely accessed in the takedown operation. 

Last December, researchers warned that the router botnet was packed with outdated Cisco, Netgear and Fortinet devices acting as a Tor-like covert data transfer network to perform malicious operations.

In an interview with SecurityWeek, Black Lotus Labs researcher Danny Adamitis said KV Botner features a complex infection process and a well concealed command-and-control framework. 

Adamitis said botnet is made up primarily of end-of-life products that are vulnerable to critical security issues. Vendors have stopped shipping security patches for these devices, meaning they will remain unpatched.

“The only solution is to rip and replace these things,” Adamitis said, noting that his team has found Cisco RV320s, DrayTek Vigor routers and Netgear ProSAFEs devices. 

Related: Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet 

Related: Mandiant Raises Alarm for ‘Volt Typhoon’ Hacking Group

Related: Microsoft Catches Chinese .Gov Hackers in US Critical Infrastructure

Related: Fortinet Warns of Possible Zero-Day Exploited in Limited Attacks 

Related: AWS Using MadPot Decoy System to Disrupt APTs, Botnets

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...