Euro Security Watch with Mathew J. Schwartz

Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management

How Long Will FBI's 'Volt Tycoon' Router Interdiction Stick?

Volume of Poorly Secured, Legacy IoT That Can Be Turned Against Us Keeps Growing
How Long Will FBI's 'Volt Tycoon' Router Interdiction Stick?
Our unpatched SOHO routers are being used against us, lately by Chinese cyberespionage hackers. (Image: Shutterstock)

A move by the FBI to dismantle a Chinese espionage botnet built on the backs of poorly secured routers undoubtedly struck a blow - but perhaps not a fatal one.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

The FBI announced this week it had used a court order to forcibly remove "KV Botnet" malware from "hundreds" of Cisco and Netgear routers found in homes and small businesses across America (see: Here's How the FBI Stopped a Major Chinese Hacking Campaign).

Officials said a Beijing-run cyberespionage group with the codename Volt Typhoon, aka Bronze Silhouette, had installed the malware, which could be used to try and trigger widespread disruptions - for example, to try and slow any U.S. military response to a Chinese invasion of Taiwan.

"China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike," FBI Directory Christopher Wray testified yesterday before the House Select Committee on the Chinese Communist Party.

In recent weeks, security experts have been warning of a fresh Volt Typhoon campaign to subvert SOHO devices in the United States and in the United Kingdom and Australia.

The FBI said in court documents that it would directly notify every internet service provider hosting the IP address of a device it found to be infected with KV Botnet malware and ask the ISP to notify the customer.

Officials cautioned that the FBI's recent fix may be temporary. "The remediated routers remain vulnerable to future exploitation by Volt Typhoon and other hackers, and the FBI strongly encourages router owners to remove and replace any end-of-life SOHO router currently in their networks," the U.S. Department of Justice said. According to court documents, neither the malware nor the FBI's mitigations can survive a device reboot, meaning they appear to reside only in memory.

"If you believe you have a compromised router, please visit the FBI's Internet Crime Complaint Center or report online to CISA," the DOJ said.

Target: KV Botnet Malware

Partially redacted search warrants obtained by the FBI on Dec. 6, 2023, show that it planned to use a multilayered strategy to remotely block the malware. First, the bureau planned to remotely contact routers that were talking to the KV Botnet and issue a command telling them to delete the malware.

"The FBI has done extensive testing on every type of Cisco and Netgear router that the FBI has identified as being part of the botnet and confirmed that the removal of the KV Botnet malware through this delete command does not affect any legitimate files or information on the target devices," the bureau said in court documents.

It also said it had planned to create a "communications loopback" that would cause the malware on the device to only communicate with itself.

"The FBI will simultaneously issue commands that will interfere with the hackers' control" over the routers, "including by preventing the hackers from easily re-infecting the target devices with KV Botnet malware," the bureau said in court documents.

The bureau said it also had planned to instruct infected devices to stop running "the KV Botnet VPN process" - thus stopping it "from operating as a VPN node" for the botnet, and leaving any legitimate VPN processes untouched - and to block incoming botnet command-and-control traffic.

At What Price Cheap IoT Goods?

Rather than having the FBI play whack-a-mole to remotely neuter outdated IoT devices, the better defense would be tough love. Why not emulate the 1999 workplace comedy film "Office Space" - specifically, the scene which in three IT workers take a baseball bat to a wildflower-filled meadow and "execute" a misbehaving fax machine.

Then again, could we keep up? Market researcher IDC has estimated that the global number of internet-connected IoT devices will reach nearly 56 billion by next year. While some laws on the books in the U.K. and some U.S. laws require minimum security standards for IoT devices, including the ability to remotely update both their hardware and software, such rules won't magically fix what's already in circulation.

Devices built using "secure by design" approaches will also eventually become legacy technology, no longer supported by manufacturers, that can potentially be turned against us, unless more gets done to future-proof them, said Chester Wisniewski, field CTO for applied research at Sophos.

"What really needs to happen is that vendors should release a final 'bridge firmware' when a device is end-of-life'd," Wisniewski said in a Mastodon post. "This would open the hardware to open-source firmware to extend the life of the device beyond the manufacturers' willingness to support their proprietary firmware. Few would take advantage, but it solves the e-waste problem and the $$$ problem."



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.