Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Volt Typhoon resurrects KV botnet following FBI takedown

Chinese state-sponsored hackers Volt Typhoon has begun rebuilding its botnet after the FBI launched a takedown operation at the beginning of the year.

user icon Daniel Croft
Wed, 13 Nov 2024
Volt Typhoon resurrects KV botnet following FBI takedown
expand image

In January, the FBI launched a takedown operation on Volt Typhoon’s “KV botnet”, which the group had been observed using to probe critical infrastructure sites and operators in the US, with its malware infecting hundreds of old Cisco and Netgear routers and network devices.

It was also observed targeting a critical infrastructure operator located on the US territory of Guam, leading officials to believe that the group may launch an attack on the operator, disrupting military capabilities as tensions between China and the US grow over Taiwan.

Despite reports in February that Volt Typhoon was struggling to resurrect the botnet, researchers from IT security firm SecurityScorecard said the group has been rebuilding its botnet up once again, compromising largely Cisco RV320/325 and Netgear ProSafe series devices based mostly in Asia.

============
============

“Approximately 30 per cent of the Cisco RV320/325 devices observed by SecurityScorecard in a 37-day period may have been compromised by Volt Typhoon,” said Security Scorecard in its report.

The firm also said that there were two vulnerabilities that Volt Typhoon may have exploited to compromise the devices and that the devices targeted are end-of-life, meaning there have been no recent software updates to address vulnerabilities.

“The STRIKE Team observed frequent connections between these devices and known Volt Typhoon infrastructure from 12/1/23 to 1/7/2024, suggesting a very active presence,” added SecurityScorecard.

Speaking with BleepingComputer, the firm said it is unsure what malware the device was using, but it noted that some of the observed infected devices were active in the botnet prior to the January takedown.

It also appears that the botnet operates by guiding traffic through devices within it, allowing the group to perform espionage and other cyber criminal activities.

The rebuilt botnet, while still massively smaller than it previously was, suggests that Volt Typhoon’s activities are set to return.

The group is known for its espionage campaigns on other nations using living-off-the-land techniques to remain undetected on a network for a long period.

A joint advisory released by the Five Eyes information-sharing alliance has revealed that Volt Typhoon may have had access to critical infrastructure providers’ IT networks for at least five years.

Additionally, British security software firm Sophos said it had been in a digital war with Chinese state-sponsored actors, including Volt Typhoon, for the same amount of time.

“For more than five years, Sophos has been investigating multiple China-based groups targeting Sophos firewalls, with botnets, novel exploits, and bespoke malware,” said Sophos.

“With assistance from other cyber security vendors, governments, and law enforcement agencies, we have been able to, with varying levels of confidence, attribute specific clusters of observed activity to Volt Typhoon, APT31 and APT41/Winnti.”

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.