U.S. authorities say they have taken action to disrupt a botnet of hundreds of small office and home office (SOHO) routers hijacked by China state-sponsored hackers designed to conceal the origin of further activities directed against U.S. critical infrastructure organizations known as the “KV Botnet.”
This botnet leveraged out-of-date and unsupported out-of-date and unsupported routers from Cisco and NETGEAR, as well as IP cameras from Axis Communications.
According to the U.S. Department of Justice, most routers that made up what is called the “KV Botnet” were Cisco and NETGEAR routers that had reached “end of life” status and were no longer supported with security patches or other software updates. A court-authorized operation deleted the KV Botnet malware from the routers, severed their connection to the botnet, and took other action to block communications with other devices used to control the botnet and prevent reinfection.
Authorities say the botnet operation did not impact the functions of or collect information from compromised routers. Instead, the devices were used to develop capabilities in a botnet that could disrupt critical communications infrastructure in the U.S., essentially positioning China state-sponsored cyber actors to attack in the event of an actual armed conflict.
The FBI is providing notice of the court-authorized operation to all owners or operators of SOHO routers that were infected with the KV Botnet malware and remotely accessed pursuant to the operation. For those victims whose contact information was not publicly available, the FBI has contacted providers (such as a victim’s internet service provider) and has asked those providers to provide notice to the victims, per the DOJ announcement.
2024 Lighting Controls and Fixtures Report
Lightapalooza took place in late February, and the growth of the event has mirrored the rapid ascension lighting fixtures and controls.Download your copy now!
Routers, IP Cameras Used in China State-Sponsored KV Botnet’s Attack Infrastructure
The DOJ announcement cited cybersecurity research from Microsoft and Lumen, which suggested that the hackers were targeting routers from ASUS, Cisco, D-Link, NETGEAR, and Zyxel, as well as AXIS IP cameras. However, the DOJ announcements cites only NEGEAR and Cisco devices.
According to Lumen, the specific devices used were NETGEAR ProSAFE routers, Cisco RV320 routers, DrayTek Vidor routers, and Axis IP cameras such as the M1045-LW, M1065-LW, and P1367-E.
However, a May 2023 advisory from the U.S. Cybersecurity & Infrastructure Security Agency on the same Chinese hacking group also suggested that devices from FatPipe and Fortinet were being used to hide the source of malicious activities.
The Lumen blog, published in December 2023, says the company’s researchers observed in November 2023 hackers remodel the botnet’s infrastructure to include a new wave of exploitations against the Axis IP cameras. Then, in early December, over 170 ProSAFE devices were targeted.
Other Connected Devices Used in Hacking, Botnets
This follows similar news out of the Russia-Ukraine conflict from early January when Russian hackers hacked into two residential surveillance cameras to spy on air defense systems and other critical infrastructure in Ukraine.
Ukrainian authorities say one camera was locate don a balcony and was used by its owner for monitoring the area around an apartment building. However, Russian hackers took remote control of the device and configured it to stream the video to YouTube. Another camera was used to monitor the car park of a residential complex, but that was hacked to give Russia visual information on the surrounding area.
The Security Service of Ukraine said in early January it has blocked the operation of about 10,000 IP cameras that Russia could have used to adjust attacks on Ukraine.
In addition, a Chinese cybersecurity firm said last month that a large botnet campaign is targeting Android OS smart TVs and STBs via apps and firmware updates.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!