FBI confirms it issued remote kill command to blow out Volt Typhoon's botnet

China's Volt Typhoon spies infected "hundreds" of outdated Cisco and Netgear equipment with malware so that the devices could be instructed to break into US critical infrastructure facilities, the Justice Department has said.

On Tuesday news broke that the Feds had blocked the malicious bot network that was set up on end-of-life, US-based small office/home office routers. Now more details have come out about how an FBI team infiltrated the operation and harvested crucial data before remotely wiping the KV Botnet, according to four warrants (5018, 5530, 5451 and 5432) filed by the FBI in a southern Texas court last month and released today.

"China's hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict," FBI Director Christopher Wray said in a statement. "Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors."

The Feds claim the Middle Kingdom's cyber-spies downloaded a virtual private network module to the vulnerable routers and set up an encrypted communication channel to remotely control the botnet, and potentially order the devices to carry out attacks as well as hide their activities. Specifically: Volt Typhoon used the US-based routers and IP addresses to target US critical infrastructure, we're told.

• US shorts China's Volt Typhoon crew targeting America's criticals
• Five Eyes and Microsoft accuse China of attacking US infrastructure again
• We know nations are going after critical systems, but what happens when crims join in?
• Ivanti releases patches for VPN zero-days, discloses two more high-severity vulns

The warrants allowed law enforcement to remotely install software on the routers to search for, and then seize or copy, information about the illicit activity before wiping the malware from the compromised devices.

To do this — and to limit the Feds' search to routers infected with the remote-control botnet malware — the FBI sent specific KV Botnet commands to compromised routers to collect "non-content information about those nodes," according to the warrants.

This includes the IP address, port numbers used by infected routers to communicate with other nodes, as well as IP addresses and ports used by each node's parent, and data on the command-and-control nodes.

"A router that is not infected by the KV Botnet malware would not receive or respond to this command," court documents claim. 

The Feds, along with foreign agency partners in Five Eyes nations, first warned about this threat in May 2023.

Also today, the US government's cybersecurity agency and the FBI issued an alert urging manufacturers to eliminate defects in SOHO router web management interfaces. This, according to the Feds, includes automating update capabilities, locating the web management interface on LAN-side ports only, and requiring an explicit manual override to remove security settings. ®