Recent US operations rendered Chinese-backed hackers’ support system inert, research finds

FBI Director Chris Wray testifies before a House committee on China's cyber security posture on January 31, 2024. He's joined by Cyber Command commander Gen. Paul Nakasone and Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency

FBI Director Chris Wray testifies before a House committee on China's cyber security posture on January 31, 2024. He's joined by Cyber Command commander Gen. Paul Nakasone and Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency Kevin Dietsch/Getty Images

The support network, called KV-botnet, has helped enable the activities of Volt Typhoon and other Chinese state-backed hackers.

A court-authorized FBI operation that disrupted the China-linked Volt Typhoon hacking collective likely occurred between Dec. 6 and Dec. 8 of last year and immobilized a support network that the group heavily relied on to carry out its activities, according to telemetry data revealed in a Wednesday report showing the group’s operatives trying to resist the U.S. takedown efforts.

The analysis conducted by Black Lotus Labs, Lumen’s threat intelligence research division, helps shed light on the recently confirmed digital offensive that purged Chinese state-sponsored hackers hooked into Cisco and NetGear routers.

The hackers had accessed the devices on a botnet system known as “KV-botnet” that chained together other compromised equipment, forming a clustered data transfer network that allowed the hacking campaigns of Volt Typhoon and other China-backed groups to flourish. 

The court approval allowed U.S. operatives to delete the botnet malware from the targeted small office and home office — or SOHO — internet routers. The actions were also confirmed in a hearing with cyber and intelligence officials by FBI Director Christoper Wray. 

The brief but intense activity detected by Lumen shows the hackers trying to retake control of various devices between Dec. 8 and 11, leading the researchers to believe the U.S. had stepped in just beforehand to jettison the cyberspies. The first warrant was signed Dec. 6, noting that infected hardware was present in the Southern District of Texas and five other unnamed districts.

The analysis concluded that law enforcement actions against the network rendered the main arm of the botnet inert. A secondary cluster of devices remains operational but has lost at least half of its bots within the past month, it adds.

The FBI did not immediately respond to a request for comment.

“We observed the KV-botnet operators begin to restructure, committing eight straight hours of activity on December 8, 2023, nearly ten hours of operations the following day on December 9, 2023, followed by one hour on December 11, 2023,” Lumen’s readout says. In that timeframe, the botnet’s controllers interacted with some 3,000 different IP addresses, including NetGear ProSAFE hardware and Axis IP cameras.

The botnet has historically relied on end-of-life products from major U.S. manufacturers that are no longer able to receive patches but still function well enough for day-to-day use, enabling hackers to cover their tracks as they seek to compromise their targets, said Lumen Lead Information Security Engineer Ryan English.

“No one throws these things away because they happen to notice Cisco isn't supporting a seven-year-old firewall anymore,” English said. “It’s not economical to yank stuff out of the wall the day it’s no longer supported, but at some point, there’s an exploit that appears that no one will patch,” he added.

Previous Black Lotus Labs research has indicated the botnet was being used during Chinese business hours, and that its operators have been cautiously exploiting devices in attempts to add them to the network.

The KV malware does not have the ability to remain on devices after they are switched off, meaning the botnet’s operatives must latch onto them again if they are power-cycled. Report data shows a significant spike in re-exploitation attempts in December 2023, which suggests hackers were likely monitoring victims’ devices before the FBI intervened to take their infrastructure offline, Lumen says.

The routers were not all necessarily linked to the infrastructure targeted by Volt Typhoon but were used to help the hackers hide, officials said last week.

Wray and other intelligence community heavyweights gave a stark warning to lawmakers last week that China-backed hacking activities against the U.S. have reached a new level of complexity, and that the federal government must work with private-sector partners to deter Beijing-sponsored cyber threats amid broader diplomatic tensions between the two nations.

“The Chinese government has been categorical in opposing hacking attacks and the abuse of information technology,” Chinese Embassy Spokesperson Liu Pengyu said in a statement to Nextgov/FCW last week. “The United States has the strongest cyber technologies of all countries, but has used such technologies in hacking, eavesdropping more than others. We urge the U.S. side to stop making irresponsible criticism against other countries on the issue of cyber-security.”