Updated: U.S. has disabled parts of Chinese hacking infrastructure, says Reuters

American authorities got legal authorization to remotely disable aspects of a Chinese-based hacking campaign, sources have told Reuters.

The news agency said in an exclusive story Monday that the action against the hacking group, dubbed Volt Typhoon by Microsoft and other threat researchers, came because the government worries it’s part of a larger effort to compromise Western critical infrastructure.

The U.S. Justice Department and the FBI declined to comment, the news story said. The Chinese embassy in Washington did not immediately respond to a request for comment.

UPDATE: At a Congressional hearing on Jan. 31, FBI Director Christopher Wray confirmed that his agency acted with a court order to disrupt some of the Volt Typhoon activity online.

In addition, the U.S. Justice Department issued a statement with details. A December 2023 court-authorized operation disrupted Volt Typhoon’s botnet of hundreds of U.S.-based small office/home office (SOHO) routers hijacked by People’s Republic of China (PRC) state-sponsored hackers, it says. Dubbed the KV Botnet, it was composed of vulnerable end-of-life routers from Cisco Systems and NetGear. “The court-authorized operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet,” the statement says.

Disconnecting the routers from the KV Botnet is only a temporary fix, the statement adds. “A router’s owner can reverse these mitigation steps by restarting the router. However, a restart that is not accompanied by mitigation steps similar to those the court order authorized will make the router vulnerable to reinfection.” The FBI is notifying all owners or operators of the infected routers, with a copy of the court order. 

U.S. cyber authorities told a Jan. 31 Senate hearing they believe the goal of the botnet was to pre-position malware on American critical infrastructure to be activated in a time of crisis.

Under Microsoft’s new nomenclature, threat actor groups are named after weather events.  Typhoon indicates a group originates in or has been attributed to China.

Last May, Microsoft reported that Volt Typhoon had been targeting critical infrastructure organizations in Guam and elsewhere in the United States since 2021, probably for espionage. At the time, says Reuters, Chinese foreign ministry spokesperson Mao Ning said the hacking allegations were a “collective disinformation campaign” from the Five Eyes countries, the intelligence sharing grouping of countries made up of the United States, Canada, New Zealand, Australia, and the U.K.

The discovery deeply worried the U.S., reported the New York Times. After investigating, American authorities believed the infiltration was even worse than stated in the Microsoft report.

Going after a threat actor’s infrastructure — where they can — is a favoured tactic of experienced American cyber authorities. A year ago this month, the FBI seized the website of the Hive ransomware gang after penetrating the group’s computer networks — fortunately located in California. Last August, police in seven countries, including the U.S., announced they had infiltrated and took down the infrastructure behind the Qakbot botnet, and then used that access to order infected computers to delete the malware.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.