Feb 01, 2024 11:24:00

FBI announces successful dismantling of cyberattack botnet of Chinese government-backed hacking group ``Bolt Typhoon''

The US government has announced that it has successfully removed malware from thousands of internet-connected routers and network cameras used by a hacking group supported by the Chinese government. The Department of Justice and

the Federal Bureau of Investigation (FBI) have obtained court orders to remotely neutralize some of China's hacking efforts.

Office of Public Affairs | US Government Disrupts Botnet People's Republic of China Used to Conceal Hacking of Critical Infrastructure | United States Department of Justice
https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical

Secure by Design Alert: Security Design Improvements for SOHO Device Manufacturers | CISA
https://www.cisa.gov/resources-tools/resources/secure-design-alert-security-design-improvements-soho-device-manufacturers

Exclusive: US disabled Chinese hacking network targeting critical infrastructure | Reuters
https://www.reuters.com/world/us/us-disabled-chinese-hacking-network-targeting-critical-infrastructure-sources-2024-01-29/

FBI disrupts Chinese botnet by wiping malware from infected routers
https://www.bleepingcomputer.com/news/security/fbi-disrupts-chinese-botnet-by-wiping-malware-from-infected-routers/

President Joe Biden's administration is concerned that the Chinese government is attempting to hack into America's internet infrastructure in order to interfere with the 2024 US presidential election. Additionally, in 2023, ransomware wreaked havoc on American companies , and the US government is increasingly focusing on anti-hacking measures.

In recent years, the hacker group Bolt Typhoon, which is backed by the Chinese government, has attracted particular attention. Microsoft has issued a warning that Bolt Typhoon is conducting a cyber attack targeting America's critical infrastructure. In addition, Bolt Typhoon is a hacking group that launches cyberattacks on critical infrastructure in the West, including military ports, internet service providers, and public utilities, so it seems to be particularly wary of intelligence authorities. Furthermore, when Western countries first warned of the Bolt Typhoon cyber attack in May 2023, a spokesperson for the Chinese Ministry of Foreign Affairs stated that ``the alleged hacking is a collective disinformation campaign from the Five Eyes countries.'' I was there.

Microsoft warns that Chinese government-affiliated hacker group ``Bolt Typhoon'' is conducting espionage activities targeting critical infrastructure - GIGAZINE

According to three people familiar with U.S. government cybersecurity, the Bolt Typhoon cyberattack was first discovered in May 2023. Subsequently, Bolt Typhoon expanded its scope of activity around the end of 2023 and changed some of its cyber attack methods.

The Bolt Typhoon cyberattack was so widespread that the U.S. government began meeting with the private technology industry, including several telecommunications companies and cloud computing companies, to help track and trace cyberattack activity. It seems that it has become.

A national security expert said, ``The Bolt Typhoon cyberattack could somehow allow China to remotely sabotage ``key facilities in the Indo-Pacific region that support U.S. military operations.'' 'There is,' he points out. In addition, American government officials are concerned that ``hackers are working to undermine America's preparations for China's invasion of Taiwan.''

China, which claims Taiwan as its own territory, has stepped up its military activities near Taiwan in recent years to counter the alliance between Taiwan and the United States.

Security experts told Reuters that Bolt Typhoon is a clever way to deploy malware by taking control of digital communication devices such as routers, modems and security cameras to launch cyberattacks against sensitive targets. Apparently they are hiding the source of the infection. The series of remote control systems, known as botnets, is a top concern for security officials because they 'could limit the visibility of cybersecurity officials monitoring foreign

footprints within computer networks.' I was there.

A former agency official said, ``The Bolt Typhoon cyberattack mechanism controls cameras and modems geographically located right next to military ports and internet service providers, securing a route to the real target. That's what it means,' he explains.

Specifically, Bolt Typhoon is said to be hijacking SOHO and ensuring its malicious activity is integrated into legitimate network traffic to avoid detection. The network devices used as a botnet include Netgear's safety system 'ProSAFE,' Cisco's Wi-Fi router 'RV320,' DrayTek's Wi-Fi router 'Vigor,' and Axis' IP camera. It contains. According to SecurityScorecard research data, Bolt Typhoon is estimated to have hijacked approximately 30% of Cisco's Wi-Fi routers RV320 and RV325.

To dismantle the Bolt Typhoon botnet, the FBI hacked the botnet's command and control (C2) server and obtained a court order authorizing it to shut down the botnet. It then commands the compromised devices to leave the botnet, preventing Bolt Typhoon from reconnecting them to the malicious network.

Furthermore, by uninstalling the Botnet VPN component, we also prevented hackers from exploiting these devices to conduct further cyberattacks. The Department of Justice, which jointly conducted the operation with the FBI to take down the Bolt Typhoon botnet, said, ``Most of the routers that made up the botnet were Cisco and NetGear Wi-Fi routers; 'They were vulnerable because they had reached end-of-life status, meaning they were no longer supported by the manufacturer's security patches or other software updates.' is explained.

The United States Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued guidance to SOHO router manufacturers to ensure security from Bolt Typhoon attacks. The guidance also calls for automating security updates, allowing access to web management interfaces only from LAN by default, and eliminating security flaws during design and development.

The use of so-called botnets by government agencies and hackers to hide the origin of cyberattacks is not new. This type of approach is said to be used when attackers want to quickly target a large number of victims at the same time, or when they want to hide the origins of their victims.