Router botnet tied to Volt Typhoon’s critical infrastructure breaches
Chinese threat group Volt Typhoon used a sophisticated botnet of unsecured home and small business routers to stealthily transfer data during a major campaign targeting U.S. critical infrastructure discovered earlier this year.
The group’s actions raised alarm in the intelligence community when they were first reported in May because of the breadth and potential impact of its attacks. Organizations across a range of sectors, including government, defense, communications, IT and utilities were targeted.
One victim was a critical infrastructure organization in the U.S. territory of Guam. There were fears the breach could be a precursor to an attack aimed at disrupting U.S. military capabilities in the nearby South China Sea.
KV-botnet comprised of end-of-life routers
In a Dec. 13 post, Lumen Technologies said following the discovery of the attacks, its Black Lotus Labs division discovered Volt Typhoon — and possibly other advanced persistent threat (APT) actors — had used a botnet as a data transfer network as part of its operations.
Dubbed KV-botnet, it was a network of mainly end-of-life infected small office/home office (SOHO) routers made by Cisco, DrayTek and Netgear.
“The KV-botnet features two distinct logical clusters, a complex infection process and a well-concealed command-and-control (C2) framework,” the researchers said. “The operators of this botnet meticulously implement tradecraft and obfuscation techniques.”
There were several advantages of building a botnet from older SOHO routers, they said, including the large number available, the lack of security measures and patching they were subjected to, and the significant data bandwidth they could handle without raising suspicion.
“Additionally, because these models are associated with home and small business users, it’s likely many targets lack the resources and expertise to monitor or detect malicious activity and perform forensics.”
In a separate statement, Lumen said KV-botnet had enabled Volt Typhoon to maintain secret communication channels that merged with normal network traffic, avoiding security barriers and firewalls.
“This botnet was essential for their strategic intelligence collection operations,…
