U.S. Disrupts Botnet China Used to Conceal Hacking of Critical Infrastructure

“China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict,” said FBI Director Christopher Wray. “Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors. Their pre-positioning constitutes a potential real-world threat to our physical safety that the FBI is not going to tolerate. We are going to continue to work with our partners to hit the PRC hard and early whenever we see them threaten Americans.”

“Today, the FBI and our partners continue to stand firmly against People’s Republic of China cyber actors that threaten our nation’s cyber security,” said FBI Deputy Director Paul Abbate. “We remain committed to thwarting malicious activities of this type and will continue to disrupt and dismantle cyber threats, safeguarding the fabric of our cyber infrastructure.”

“This operation disrupted the efforts of PRC state-sponsored hackers to gain access to U.S. critical infrastructure that the PRC would be able to leverage during a future crisis,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “The operation, together with the release of valuable network defense guidance by the U.S. government and private sector partners, demonstrates the Department of Justice’s commitment to enhance cybersecurity and disrupt efforts to hold our critical infrastructure at risk.”

“Using traditional law enforcement tools to disrupt state-of-the-art technologies, the U.S. Attorney’s Office for the Southern District of Texas protected Americans from PRC government-sponsored cyber-criminals who used U.S. based routers to hack into American targets,” said U.S. Attorney Alamdar S. Hamdani for the Southern District of Texas. “This case demonstrates my office’s ongoing commitment to defending our critical infrastructure from PRC initiated cyber-attacks. We thank the FBI and the Justice Department’s National Security Division for its work, and we will continue to work shoulder to shoulder with them to shield our country from state-sponsored hackers.”

“The FBI’s dismantling of the KV Botnet sends a clear message that the FBI will take decisive action to protect our nation’s critical infrastructure from cyber-attacks,” said Special Agent in Charge Douglas Williams of the FBI Houston Field Office. “By ensuring home and small-business routers are replaced after their end-of-life expiration, everyday citizens can protect both their personal cyber security and the digital safety of the United States. We need the American public’s vigilance and support to continue our fight against malicious PRC-sponsored cyber actors.”

As described in court documents, the government extensively tested the operation on the relevant Cisco and NetGear routers. The operation did not impact the legitimate functions of, or collect content information from, hacked routers. Additionally, the court-authorized steps to disconnect the routers from the KV Botnet and prevent reinfection are temporary in nature. A router’s owner can reverse these mitigation steps by restarting the router. However, a restart that is not accompanied by mitigation steps similar to those the court order authorized will make the router vulnerable to reinfection.

The FBI is providing notice of the court-authorized operation to all owners or operators of SOHO routers that were infected with the KV Botnet malware and remotely accessed pursuant to the operation. For those victims whose contact information was not publicly available, the FBI has contacted providers (such as a victim’s internet service provider) and has asked those providers to provide notice to the victims.

The FBI notes that if you believe you have a compromised router, please visit the FBI’s Internet Crime Complaint Center or report online to CISA. The remediated routers remain vulnerable to future exploitation by Volt Typhoon and other hackers, and the FBI strongly encourages router owners to remove and replace any end-of-life SOHO router currently in their networks.