Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet

A prominent Chinese hacking group has been linked to an indestructible botnet that primarily targets U.S. critical infrastructure, stirring up concerns about the security of national networks. Known as the Advanced Persistent Threat (APT) Volt Typhoon, the group has developed a reputation for its persistent cyber espionage activities. However, this is the first time they've been associated with a "botnet," which refers to a network of infected computers operated remotely by hackers.

The botnet discovered, dubbed "Unkillable SOHO Router Botnet," presents a considerable cybersecurity threat because of its robust and hard-to-destroy nature. Unlike traditional botnets that get eliminated when infected machines are cleansed, this variant can survive even after the infected routers are disconnected and rebooted. Making it essentially "unkillable."

Botnet Infected with End-of-Life SOHO Routers

The genius of this malicious network lies in its choice of target devices. The Unkillable SOHO Router Botnet is packed with Small Office/Home Office (SOHO) routers nearing or past the end of their life cycle. These include outdated router models from various brands, including Cisco, Netgear, and Fortinet.

Due to their age, these routers no longer receive firmware or security updates from their manufacturer, making them easy targets for cybercriminals. Once these routers are infected, they are effectively weaponized. The hackers can then use these routers to perpetrate various nefarious operations ranging from data theft to Distributed Denial-of-Service (DDoS) attacks.

Chinese Hackers Set Up Tor-Like Covert Data Transfer Network

Perhaps the sophistication of the Volt Typhoon group's operations is most concerning concerning this new revelation. The Chinese hackers have reportedly set up a secret data transfer network, similar to the anonymous internet network Tor, to conduct their illicit activities covertly. By bouncing the internet connection around numerous nodes, this network makes it extremely challenging for cybersecurity experts to trace the source of the attacks.

This clandestine data transfer network enables the group to compromise systems, extract sensitive information, and erase their tracks without raising suspicion. It is thus not just the botnet's indestructible nature that poses a considerable threat but also its stealthy and covert operations that make it especially insidious.

Analysis by Black Lotus Labs

Black Lotus Labs, a leading cybersecurity research organization, has provided a detailed analysis of the unkillable botnet. Identified as KV-botnet, this network of infected devices is unique in its composition and presents significant challenges to cybersecurity experts working to counter it.

The botnet comprises end-of-life products that are vulnerable to critical security issues

The main arsenal of the KV-botnet includes end-of-life products that are past their support periods and, as a result, are particularly susceptible to security issues. These devices no longer receive necessary security patches from manufacturers, making them easy targets for hackers. As such, they provide a simple route for the botnet operators to infiltrate network systems and carry out nefarious activities.

The decision to use these end-of-life products as hosts for their botnet demonstrates the advanced thinking and strategy of the cybercriminals. By selecting products that will remain unpatched due to vendors discontinuing security support, they ensure that their botnet remains active and unkillable for an extended period.

Possibility of intensified activity over the holiday season

Black Lotus Labs has raised the alarm over the likely escalation in the botnet's activities, especially over the holiday season. The recently discovered incorporation of hijacked Axis IP cameras into the botnet has suggested that the hackers may be preparing for a surge in activity.

Using connected cameras as part of a botnet adds to the number of controllable devices and presents new avenues for malicious activities. The camera's ability to capture live feeds can provide the hackers with additional information that may aid their operations.

Publication of malware artifacts and detailed technical analysis

With the hope of helping organizations defend against such threats, Black Lotus Labs has published detailed technical analyses along with the malware artifacts associated with the KV-botnet. This information provides organizations with actionable insights that they can use to strengthen their cybersecurity measures.

In addition, the analysis could aid cybersecurity researchers in developing effective countermeasures against the KV-botnet and similar threats. By dissecting the botnet's composition and operation methods, we can anticipate potential evolutions of this threat and be better prepared to prevent them.

Implications of the Botnet and Cyber Threat

One of the primary implications of this botnet is that its operations are practically undetectable to the average user. The routers hijacked for this botnet are models designed to handle large data bandwidth. Thus, even when these devices are being used for malicious operations, regular users are unlikely to notice a significant impact on their internet performance. This feature enables the botnet to operate covertly, making it harder to detect and eliminate.

Botnet seen as a potential trend in utilizing compromised firewalls and routers in threat actor operations

The most concerning implication of the KV-botnet is the precedent it sets for future cyber threats. By exploiting outdated routers and firewalls, the attackers have created a highly persistent, covert, and essentially unkillable botnet. If this strategy proves successful, it could become a trend among threat actors, increasing similar attacks.

Such a shift in tactics would pose a significant challenge to cybersecurity experts. The end-of-life routers and firewalls that make up this botnet are notoriously difficult to update or patch, making it difficult to eliminate the threat they pose. Furthermore, their widespread usage means that a large pool of potential targets exists for attackers to exploit.

High-value networks, including a U.S judicial organization and a satellite-based network management organization, among the infected

Cementing the botnet's potential national security implications, it has been revealed that several high-value networks, including a U.S. judicial organization and a satellite-based network management organization, have been infected by the botnet. The presence of the botnet on these networks indicates its potential reach and the gravity of the threat it poses.

For organizations like the U.S. judicial body, the botnet could allow attackers to access sensitive legal documents and court records, risking a breach of confidentiality. For the satellite network organization, the hack could destabilize their operations, potentially affecting satellite-based services like GPS, telecommunications, and weather forecasting.

Mitigation and Response

In light of the revelation of the unkillable botnet attributed to the Chinese APT group Volt Typhoon, an urgent, robust action plan must be implemented to mitigate the threat. This plan should focus on monitoring, effective use of available resources, and a proactive approach to device updates.

Urgency for network defenders to monitor large data transfers out of the network

Given the covert nature of these botnet-infected devices, normal network operations are unaffected, making it hard to detect illicit activities. Therefore, network defenders must monitor data traffic, especially large data transfers exiting their networks. Such data outflows could indicate exfiltration activities, a primary function of the botnet.

One of the ways organizations can effectively respond to this threat is through the proper utilization of resources. Key among these resources are the malware artifacts related to the botnet, which have been released by Black Lotus Labs. By studying these artifacts, organizations can gain an understanding of the botnet's operation, helping them develop effective countermeasures.

Furthermore, the detailed technical analysis provided by Black Lotus Labs can aid organizations in understanding the nuts and bolts of the botnet. This knowledge can help them anticipate the botnet's potential evolutions, thereby enabling them to develop proactive defensive measures.

Increased awareness and upgrades for end-of-life edge devices recommended

A crucial part of the mitigation process is a shift in the approach to handling end-of-life devices. Due to their outdated security protocols, these devices serve as the main agents of this botnet. Therefore, organizations are strongly recommended to be conscious of the devices connected to their networks.

Where possible, upgrades should be made to these devices to bolster their security features and remove them as easy targets for threat actors. In cases where upgrades are not possible, additional protective measures, such as network segmentation, should be implemented to limit the potential spread of botnet infection within the network.