The U.S. government has disrupted a botnet that was used by a Chinese state-sponsored hacking group to disguise its activities targeting critical infrastructure.
The botnet that the government disrupted consisted of several hundred SOHO, or small office and home office, routers installed in the U.S. Most of the routers were made by Cisco and Netgear. The devices could be compromised because they had reached end-of-life status, meaning they no longer receive security patches.
The Justice Department detailed that the botnet was created by a Chinese state-sponsored hacking group known as Volt Typhoon. The group used the breached routers to conceal the origin of a cyberattack campaign directed at U.S. critical infrastructure.
According to Microsoft, Volt Typhoon has been targeting critical infrastructure organizations in Guam and other parts of the U.S. The affected organizations are active in the communications, manufacturing, utility, transportation, construction, maritime, government, technology, and education sectors.
The operation to take down the group’s router botnet was launched last month by the FBI, and then they took over a server that Volt Typhoon had used to control the infected routers. Officials then sent commands to the routers that disconnected them from the botnet.
The FBI reportedly also uninstalled a malicious virtual private network, or VPN, tool that the hackers had installed on the compromised devices. The changes will prevent Volt Typhoon from reconnecting the routers to the botnet. For added measure, officials have notified the users whose routers were compromised by the hackers.
The CISA and the FBI today released new guidance for network equipment makers. Officials are advising SOHO router manufacturers to implement an automated patching mechanism in their devices. The guidance also emphasizes the need for secure default settings, as well as features that prevent hackers from remotely accessing a router’s management console
