Volt Typhoon-Linked SOHO Botnet Infects Multiple US Gov’t Entities

/in


Researchers have discovered an Internet of Things (IoT) botnet linked with attacks against multiple US government and communications organizations.

The “KV-Botnet,” revealed in a report from Lumen’s Black Lotus Labs, is designed to infect small-office home-office (SOHO) network devices developed by at least four different vendors. It comes built with a series of stealth mechanisms and the ability to spread further into local area networks (LANs).

One notable subscriber is the Volt Typhoon advanced persistent threat (aka Bronze Silhouette), the headline-grabbing Chinese state-aligned threat actor known for attacks against US critical infrastructure. The platform appears to have been involved in previously reported Volt Typhoon campaigns against two telecommunications firms, an Internet service provider (ISP), and a US government organization based in Guam. It only represents a portion of Volt Typhoon’s infrastructure, though, and there are almost certainly other threat actors also using it.

Inside the KV-Botnet

Since at least February 2022, KV-Botnet has primarily infected SOHO routers including the Cisco RV320, DrayTek Vigor, and Netgear ProSafe product lines. As of mid-November, it expanded to exploit IP cameras developed by Axis Communications.

Administered from IP addresses located in China, the botnet can be broadly split into two groups: the “KY” cluster, involving manual attacks against high-value targets, and the “JDY” cluster, involving broader targeting and less sophisticated techniques.

Most KV-Botnet infections so far appear to fall into the latter cluster. With that said, the botnet has brushed up against a number of previously undisclosed high-profile organizations, including a judicial institution, a satellite network provider, and military entities from the US, as well as a renewable energy company based in Europe.

The program is perhaps most notable for its advanced, layered stealth. It resides completely in memory (although, on the flip side, this means it can be booted with a simple device restart). It checks for and terminates a series of processes and security tools running on the infected device, runs under the name of a random file already on the device, and…

Source…