As was widely reported last week by mainstream news media, the U.S. Government in December 2023, led by the U.S Justice Department and FBI, disrupted a botnet attack by Chinese state-sponsored hackers targeting US critical infrastructure. The hacking group known to the private sector as Volt Typhoon was infecting privately owned SOHO (small office home office) routers with “KV Botnet” malware and had built a network of hundreds of devices with plans to attack U.S. energy and water infrastructure from within the U.S. This hacking activity and the associated targets have been on the radar of US officials for some time with advisory notices dating back to May 2023 released by the FBI, NSA, and U.S. CISA.
The FBI performed a court-authorized operation to reach out to the owners of the infected SOHO routers and disable/mitigate the KV Botnet malware. This was an extensive operation involving multiple agencies and private sector entities. Remediation of this threat was further complicated by the fact that most of the devices involved were Cisco and Netgear routers that had reached End-of-Life (or EOL) status and were no longer upgradable to more secure firmware.
“China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict,” said FBI Director Christopher Wray. “Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors. Their pre-positioning constitutes a potential real-world threat to our physical safety that the FBI is not going to tolerate. We are going to continue to work with our partners to hit the PRC hard and early whenever we see them threaten Americans.”
Though this particular attack was prevented, and the threat mitigated, U.S. officials were very clear that the threat from Volt Typhoon and other state-sponsored actors is far from over. I believe we as consumers and businesses have a role to play to help prevent these attack vectors in the future.
At the heart of this particular incident was the continued use of end-of-life routers. Any time a device reaches EOL status, the manufacturer ceases production on software updates, patches, and security fixes. In that static state, the device effectively remains permanently vulnerable. Vulnerable devices are easy targets for cybercriminals, including nation state actors who intend to infect and control these devices as a part of their larger botnet armies.
We as consumers and business owners need to take hardware lifecycle management more seriously. Our country is asking for our help. “The FBI’s dismantling of the KV Botnet sends a clear message that the FBI will take decisive action to protect our nation’s critical infrastructure from cyber-attacks,” said Special Agent in Charge Douglas Williams of the FBI Houston Field Office. “By ensuring home and small-business routers are replaced after their end-of-life expiration, everyday citizens can protect both their personal cyber security and the digital safety of the United States. We need the American public’s vigilance and support to continue our fight against malicious PRC-sponsored cyber actors.”
Vigilance is an ongoing process. It is dedication to a methodical approach to cybersecurity that includes consistent and continuous well-informed decisions about when and what to upgrade, and those decisions need to go well beyond SOHO routers and PCs. Everyone should know and understand the patch and support status of any device in his or her home or office that has any type of connection to the Internet. Unsupported devices need to be replaced and supported devices need to be patched and upgraded on a regular basis. We need to take the tools out of the hands of the cybercriminals and use these same tools to our advantage and defense.