The FBI disrupted a Chinese state-sponsored hacking effort against the US by resorting to its own hack to remove the malware from hundreds of infected Cisco and Netgear routers.
The infected routers formed a botnet that a Chinese hacking group called “Volt Typhoon” was allegedly using to try and infiltrate US critical infrastructure systems. But on Wednesday, the Justice Department announced it dismantled the botnet last month by securing court orders, allowing federal agents to secretly remove the malware from the infected devices—some of which were likely owned by regular consumers.
“China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict,” said FBI Director Christopher Wray in the announcement.
Botnets are essentially armies of computers that’ve become infected with a hacker’s malware, secretly enslaving the machines to their control. In this case, the Chinese state-sponsored hackers developed a piece of malware that was designed to infect out-of-date “small office/home office” routers from Netgear and Cisco based in the US.
These routers were especially vulnerable “because they had reached ‘end of life’ status; that is, they were no longer supported through their manufacturer’s security patches or other software updates,” the Justice Department said.
Back in May, the US warned the public about Volt Typhoon exploiting US-based routers to help hide their hacking activities. Newly unsealed court orders show the FBI found that infected routers will download a VPN to encrypt incoming data from the Chinese hackers.
The court order goes on to suggest the FBI developed a way to hijack the botnet, and identify the infected routers. “Using the malware’s communications protocols, the FBI will issue a command to Target Devices to delete the KV Botnet malware from Target Devices,” the FBI proposed to the court.
The court order says the FBI did extensive testing to ensure its hacking of the routers would not affect any legitimate files or information on the devices. “The FBI will seize each such Target Device by causing the malware on it to communicate with only itself. This method of seizure will interfere with the ability of the hackers to control these Target Devices,” the agency told the court.
Although the FBI disinfected the routers, the Justice Department still warned: “The remediated routers remain vulnerable to future exploitation by Volt Typhoon and other hackers.” This is because restarting the affected routers can “reverse” the FBI’s mitigation steps to prevent a reinfection.
It’s why the agency plans on notifying the owners of the affected routers. The news underscores how out-of-date consumer technology can potentially pose a national security threat. “By ensuring home and small-business routers are replaced after their end-of-life expiration, everyday citizens can protect both their personal cyber security and the digital safety of the United States,” noted FBI Special Agent in Charge Douglas Williams.
The Justice Department also announced the news as the FBI and NSA testified before Congress about the threat of China using cyberattacks to disrupt the US. “The PRC’s cyber onslaught goes way beyond prepositioning for future conflict. Today, and literally every day, they’re actively attacking our economic security, engaging in wholesale theft of our innovation, and our personal and corporate data,” Wray told lawmakers in prepared remarks.