The FBI has disrupted the KV Botnet used by Chinese Volt Typhoon state hackers to evade detection during attacks targeting U.S. critical infrastructure.

The hacking group (also tracked as Bronze Silhouette) used it to hijack hundreds of small office/home offices (SOHO) across the United States and used them to ensure that their malicious activity blends within legitimate network traffic to avoid detection.

Devices compromised and added to this botnet included Netgear ProSAFE, Cisco RV320s, and DrayTek Vigor routers, as well as Axis IP cameras, according to Lumen Technologies' Black Lotus Labs team, who first linked the malware to the Chinese threat group in December.

A SecurityScorecard report from earlier this month estimates that Volt Typhoon hackers were able to hijack roughly 30% of all Cisco RV320/325 devices online in just over a month. 

"The Volt Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors—steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous," said FBI Director Christopher Wray.

"So working with our partners, the FBI ran a court-authorized, on-network operation to shut down Volt Typhoon and the access it enabled."

The FBI's operation began on December 6th when the law enforcement agency first obtained a court order authorizing it to take down the botnet after hacking into its command-and-control (C2) server.

Once in, FBI agents sent commands to the compromised devices to cut them off from the botnet and prevent the Chinese hackers from reconnecting them to the malicious network.

They also issued a command that forced the malware to uninstall its botnet VPN component and block the hackers from using the devices to conduct further attacks through them.

"The vast majority of routers that comprised the KV Botnet were Cisco and NetGear routers that were vulnerable because they had reached 'end of life' status; that is, they were no longer supported through their manufacturer's security patches or other software updates," a Justice Department press release explains.

"The court-authorized operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet."

Vendors urged to secure SOHO routers

Today, CISA and the FBI also issued guidance for SOHO router manufacturers, urging them to ensure they're secured against Volt Typhoon's ongoing attacks.

Recommendations include automating security updates and allowing access to their web management interfaces only from the LAN by default, as well as removing security flaws during the design and development phases.

A Microsoft report in May 2023 revealed that Volt Typhoon hackers have been targeting and breaching U.S. critical infrastructure organizations since at least mid-2021.

The hacking group's KV Botnet covert data transfer network was used in attacks targeting a wide range of organizations since at least August 2022, including U.S. military organizations, telecommunication and internet service providers, and a European renewable energy firm.

Reuters first reported the U.S. government's KV Botnet disruption operation on Monday.