How FBI deleted China malware from US routers

Hundreds of US-based routers were hijacked by malware so they could be used in cyberattacks. But with the court's permission, an FBI cyber squad turned the botnet’s functionality against itself and terminated it.

Officials have shared details revealing the intricacies of their fightback against a hacker group known as Volt Typhoon, which was found to be responsible for campaigns targeting critical infrastructure in the United States and elsewhere.

It was recently reported that the FBI managed to shut down Volt’s operation, which targeted privately owned small and home office (SOHO) routers, mainly provided by Cisco and NetGear, infecting them with malware.

The malware linked target routers to a network of nodes, known as a botnet, which hackers used as proxies to conceal their identities while committing intrusions against US victims, applications for search warrants revealed.

The FBI sought and received the court’s permission to identify infected routers so it could remotely search systems and seize evidence, removing the malware and taking steps to prevent reinfection.

But before taking any action, agents remotely installed software on targeted computers to conduct searches and obtain electronically stored information.

Developed the kill switch

The investigation led investigators to a malware known as KV Botnet, programmed to transmit encrypted traffic between the infected SOHO routers to allow Chinese hackers to anonymize, and thus effectively conceal, their activities.

The KV Botnet consisted of infected routers (“nodes”), parent nodes, and command-and-control (C2) nodes. The parent and C2 nodes were the computers that relayed or issued commands to other nodes in the botnet.

“The hackers likely targeted the SOHO routers for KV Botnet malware infection because the routers have reached ‘end of life’ status,” the document said.

End of life status means a manufacturer no longer supports the device in question with security patches.

The FBI discovered that KV Botnet could be removed by restarting the device, but some SOHO routers operate for long periods without ever restarting.

“The KV Botnet malware is difficult to detect, and owners of infected routers typically do not know they are victims and, therefore, do not have a reason to restart their devices. Even if they are restarted, these devices remain vulnerable to reinfection.”

Once active, KV Botnet can download a VPN module to encrypt traffic and enable hackers to obfuscate their operations securely.

The FBI used the botnet’s own functionality to identify the nodes within KV Botnet and send commands to identify which US routers were considered “target devices.”

“A router that is not infected by the KV Botnet malware would not receive or respond to this command,” the FBI document explained.

Rather than physically seizing the geographically dispersed routers, the FBI took remote steps to accomplish a virtual equivalent by disabling the hackers’ control.

After extensive testing on every type of Cisco and Netgear router that was part of the botnet, the FBI used the malware’s communications protocols to issue a command “to delete the KV Botnet from target devices.”

Simultaneously, other commands interfered with “the hackers’ control over the instrumentalities of their crimes” to prevent re-infection.

According to the warrant, the FBI would notify internet service providers (ISPs) to inform the affected customers after the operation.

Threatened national security

“China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict,” said FBI director Christopher Wray in a press release.

Warning that this constituted a potential threat to the physical safety of US citizens, he added: “Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors.”

A joint cybersecurity advisory published by the US and foreign partner agencies in Canada, Australia, and New Zealand on May 24th, 2023, claimed a group of hackers sponsored by the People’s Republic of China was using compromised routers to hide while committing hacks and espionage.

These hackers operated under US-based internet protocol (IP) addresses, deceptively blending into local digital traffic in the area.

A Microsoft report adds that Volt Typhoon has been active since 2021, and also says it targets critical infrastructure in the US.

“This Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises,” the report stated.

A December 2023 legally sanctioned operation disrupted a botnet of hundreds of US-based SOHO routers hijacked by hackers sponsored by the People’s Republic of China (PRC).

“The Justice Department has disrupted a PRC-backed hacking group that attempted to target America’s critical infrastructure utilizing a botnet,” said US attorney general Merrick Garland. “The United States will continue to dismantle malicious cyber operations – including those sponsored by foreign governments – that undermine the security of the American people.”

Deputy attorney general Lisa Monaco added: "In wiping out the KV Botnet from hundreds of routers nationwide, the Department of Justice is using all its tools to disrupt national security threats – in real-time.”

Routers still vulnerable

The DoJ says the operation was temporary and did not impact legitimate operations or collect information from hacked routers.

“A router’s owner can reverse these mitigation steps by restarting the router,” it added. “However, a restart that is not accompanied by mitigation steps similar to those the court order authorized will make the router vulnerable to reinfection.”

Any US citizen who believes they have a compromised router is advised to visit the FBI’s Internet Crime Complaint Center or report online to national cybersecurity body CISA.

The DoJ warned: “The remediated routers remain vulnerable to future exploitation by Volt Typhoon and other hackers, and the FBI strongly encourages router owners to remove and replace any end-of-life SOHO router currently in their networks.”