US disrupts China-linked cyber campaign impacting critical infrastructure, Justice officials say

The U.S. disrupted a China-linked hacking operation that was targeting American and allied critical infrastructure, Department of Justice officials confirmed Wednesday.

The U.S. received court authorization last month to disable the hacking activities of the Chinese state-sponsored Volt Typhoon hacking campaign that worked to embed KV Botnet malware into privately owned routers to conceal their intrusions into U.S. and foreign allies’ systems. 

“The vast majority of routers that comprised the KV Botnet were Cisco and NetGear routers that were vulnerable because they had reached ‘end of life’ status; that is, they were no longer supported through their manufacturer’s security patches or other software updates,” the Justice Department said in a news release.

The campaign was linked to a joint advisory issued by cyber and intelligence authorities in May, warning that the China-linked operation was employing “living off the land” techniques that allowed hackers to blend in alongside normal network behavior and evade detection. 

A related notice about the hacking group was issued in December, alongside a new alert issued Wednesday by the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency.

The routers were not all necessarily linked to the infrastructure targeted by Volt Typhoon but were used to help the hackers hide, officials noted.

The court authorization allowed U.S. operatives to delete the botnet malware from the small office and home office, or SOHO internet routers. The actions were also confirmed in a Wednesday hearing with cyber and intelligence officials by FBI Director Christoper Wray. 

“The United States will continue to dismantle malicious cyber operations — including those sponsored by foreign governments — that undermine the security of the American people,” Attorney General Merrick Garland said in a statement.