The U.S. government has disrupted a botnet, or network of malware-laden devices, that was used by a Chinese state-sponsored hacking group to disguise its activities.

The Justice Department announced the operation this morning. Also today, several senior U.S. officials testified before Congress on China-backed hacking activities targeting critical infrastructure. 

“The Justice Department has disrupted a PRC-backed hacking group that attempted to target America’s critical infrastructure utilizing a botnet,” said Attorney General Merrick Garland. “The United States will continue to dismantle malicious cyber operations – including those sponsored by foreign governments – that undermine the security of the American people.”

The botnet that the government disrupted consisted of several hundred SOHO, or small office and home office, routers installed in the U.S. Most of the routers were made by Cisco Systems Inc. and Netgear Inc. The devices could be compromised because they had reached end-of-life status, meaning they no longer receive security patches.

The Justice Department detailed that the botnet was created by a Chinese state-sponsored hacking group known as Volt Typhoon. According to officials, the group used the breached routers to conceal the origin of a cyberattack campaign directed at U.S. critical infrastructure.

The campaign in question was detailed by Microsoft Corp. last March. According to the company, Volt Typhoon has been targeting critical infrastructure organizations in Guam and other parts of the U.S. The affected organizations are active in the communications, manufacturing, utility, transportation, construction, maritime, government, technology and education sectors.

Microsoft’s researchers determined that Volt Typhoon is seeking to perform espionage as well as maintain a long-term presence in victims’ networks. Additionally, the company detailed the group is “pursuing development of capabilities” that could disrupt communications between the U.S. and Asia in the event of a crisis. Microsoft believes that Volt Typhoon has been active since mid-2021. 

The operation to take down the group’s router botnet was launched last month by the Federal Bureau of Investigation. According to BleepingComputer, the FBI took over a server that Volt Typhoon had used to control the infected routers. Officials then sent commands to the routers that disconnected them from the botnet.

The FBI reportedly also uninstalled a malicious virtual private network, or VPN, tool that the hackers had installed on the compromised devices. The changes will prevent Volt Typhoon from reconnecting the routers to the botnet. For added measure, officials have notified the users whose routers were compromised by the hackers.

Separately, the Cybersecurity and Infrastructure Security Agency and the FBI today released new guidance for network equipment makers. Officials are advising SOHO router manufacturers to implement an automated patching mechanism in their devices. The guidance also emphasizes the need for secure default settings, as well as features that prevent hackers from remotely accessing a router’s management console. 

Photo: Unsplash