Christopher Wray testifies about the threat of Chinese hackers threatening U.S. infrastructure
(Christopher Wray testifies before Congress on Jan. 31, Image credit: Twitter)
On January 31, as FBI Director Christopher Wray was testifying before Congress about the threat of Chinese Hackers going after America’s infrastructure systems, the U.S. Department of Justice shared the news about a December 2023 court-authorized operation that disrupted a botnet of hundreds of U.S.-based small office/home office (SOHO) routers hijacked by People’s Republic of China (PRC) state-sponsored hackers.
The hackers, known to the private sector as “Volt Typhoon,” used privately-owned SOHO routers infected with the “KV Botnet” malware to conceal the PRC origin of further hacking activities directed against U.S. and other foreign victims. These further hacking activities included a campaign targeting critical infrastructure organizations in the United States and elsewhere that was the subject of a May 2023 FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and foreign partner advisory. The same activity has been the subject of private sector partner advisories in May and December 2023, as well as an additional secure by design alert released today by CISA.
The vast majority of routers that comprised the KV Botnet were Cisco and NetGear routers that were vulnerable because they had reached “end of life” status; that is, they were no longer supported through their manufacturer’s security patches or other software updates. The court-authorized operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet.
“The Justice Department has disrupted a PRC-backed hacking group that attempted to target America’s critical infrastructure utilizing a botnet,” said Attorney General Merrick B. Garland. “The United States will continue to dismantle malicious cyber operations – including those sponsored by foreign governments – that undermine the security of the American people.”
“China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harmto American citizens and communities in the event of conflict,” said FBI Director Christopher Wray. “Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors. Their pre-positioning constitutes a potential real-world threat to our physical safety that the FBI is not going to tolerate. We are going to continue to work with our partners to hit the PRC hard and early whenever we see them threaten Americans.”
“This operation disrupted the efforts of PRC state-sponsored hackers to gain access to U.S. critical infrastructure that the PRC would be able to leverage during a future crisis,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “The operation, together with the release of valuable network defense guidance by the U.S. government and private sector partners, demonstrates the Department of Justice’s commitment to enhance cybersecurity and disrupt efforts to hold our critical infrastructure at risk.”
As described in court documents, the government extensively tested the operation on the relevant Cisco and NetGear routers. The operation did not impact the legitimate functions of, or collect content information from, hacked routers. Additionally, the court-authorized steps to disconnect the routers from the KV Botnet and prevent reinfection are temporary in nature.
A router’s owner can reverse these mitigation steps by restarting the router. However, a restart that is not accompanied by mitigation steps similar to those the court order authorized will make the router vulnerable to reinfection.
The FBI is providing notice of the court-authorized operation to all owners or operators of SOHO routers that were infected with the KV Botnet malware and remotely accessed pursuant to the operation. For those victims whose contact information was not publicly available, the FBI has contacted providers (such as a victim’s internet service provider) and has asked those providers to provide notice to the victims.
If you believe you have a compromised router, please visit the FBI’s Internet Crime Complaint Center or report online to CISA. The remediated routers remain vulnerable to future exploitation by Volt Typhoon and other hackers, and the FBI strongly encourages router owners to remove and replace any end-of-life SOHO router currently in their networks.
The FBI continues to investigate Volt Typhoon’s computer intrusion activity.
Just yesterday, FBI Director Christopher Wray testified before Congress about the threat of Chinese hackers attacking America’s infrastructures. See that full video below.
–
(Source: Department of Justice)
Posted by Richard Webster, Ace News Today
Follow Richard on Facebook, Twitter & Instagram