cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Volt Typhoon unable to rebuild botnet following FBI takedown

The Chinese state-sponsored hacking group Volt Typhoon is struggling to get its botnet back up and running after it was brought down in an FBI takedown last month.

user icon Daniel Croft
Thu, 08 Feb 2024
Volt Typhoon unable to rebuild botnet following FBI takedown
expand image

Volt Typhoon had been observed using its ”KV botnet” to probe critical infrastructure sites and operators in the US, with its malware infecting hundreds of old Cisco and NetGear routers and network devices.

Last year, the group was observed targeting a critical infrastructure operator located on the US territory of Guam, leading officials to believe that the group may launch an attack on the operator, disrupting military capabilities as tensions between China and the US grow over Taiwan.

The FBI then secured a warrant to take down the botnet on 6 December 2023, before taking control of one of the group’s command-and-control servers to cut the hackers’ access to the botnet devices.


Now, reports have suggested that the group is trying and failing to revive the botnet, with the Black Lotus Labs team at Lumen Technologies saying that the hacking group conducted an attack to infect 3,045 devices, including a third of the world’s internet-exposed NetGear ProSAFE routers.

This led to the infection of 630 devices.

“We observed a brief but concentrated period of exploitation activity in early December 2023, as the threat actors attempted to re-establish their command and control (C2) structure and return the botnet to working order,” said the Black Lotus Labs team.

“Over a three-day period from December 8 to December 11, 2023, KV-botnet operators targeted approximately 33 per cent of the NetGear ProSAFE devices on the Internet for re-exploitation, a total of 2,100 distinct devices.”

The Black Lotus Labs team added that it thwarted Volt Typhoon’s revival efforts through null-routing Volt Typhoon’s C2 and payload server from 12 December to 12 January.

“Despite the botnet operator’s best efforts, Lumen Technologies’ quick null-routing, along with the effects of the FBI’s court-authorised action, appear to have had a significant impact on the uptime, breadth, and sustainability of KV-botnet,” it said.

The FBI has been busy dealing with Chinese hackers like Volt Typhoon, releasing an advisory alongside the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and agencies from the Five Eyes information-sharing alliance, including Australia’s Australian Signals Directorate (ASD) and Australian Cyber Security Centre (ACSC).

The advisory outlines the techniques of these hacking groups, including Volt Typhoon’s living-off-the-land techniques, which it uses to remain undetected for long periods of time.

The group reportedly had access to some US IT environments for at least a five-year period.

Additionally, the US Department of Justice, in tandem with the FBI, has launched a campaign to take down a Chinese hacking campaign targeting US critical infrastructure, in which Volt Typhoon plays a vital role.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.