U.S. officials warn of dire Chinese cyber threats in wake of FBI operation to disrupt botnet

Volt Typhoon used privately owned routers infected with malware in attempt to conceal activity, DOJ says.
Commander of the U.S. Cyber Command Army Gen. Paul Nakasone, Jen Easterly, Director of the Homeland Security Department's Cybersecurity and Infrastructure Security Agency, and FBI Director Christopher Wray testify before the House (Select) Strategic Competition Between the United States and the Chinese Communist Party Committee on Capitol Hill on January 31, 2024 in Washington, DC. The Committee heard from intelligence officials on China's Cyber threat to the United States. (Photo by Kevin Dietsch/Getty Images)

The FBI and U.S. Department of Justice used court-endorsed legal authorities to disrupt a botnet operated as part of Chinese-directed hacking operations that leveraged insecure home and office routers to target U.S. critical infrastructure, the DOJ said Wednesday.

A Chinese government hacking campaign, tracked publicly as “Volt Typhoon,” used privately owned Cisco and NetGear routers infected with “KV Botnet” malware in an attempt to conceal the activity, the agency said in a statement. The DOJ and FBI operation, the agency added, “deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet.”

An unidentified FBI agent described the operation in court records released Monday, writing that the bureau issued a command to infected routers that would delete the KV Botnet malware from the devices without affecting any legitimate files or information on the routers.

A December 2023 analysis by Lumen, a telecommunications company, showed that the KV Botnet had been active since “at least February 2022,” and targeted edge devices, including routers, “a segment that has emerged as a soft spot in the defensive array of many enterprises, compounded by the shift to remote work in recent years.”


Lumen observed an “uptick in exploitation of new bots” in August 2023, and then a “remodel” of the botnet infrastructure in mid-November 2023.

The disruption operation, first disclosed by Reuters on Monday, is the latest U.S. government action focused on Volt Typhoon, which first came to light in a May 2023 Microsoft advisory. That advisory was followed quickly by a joint advisory issued by the FBI, NSA, and the Cybersecurity and Infrastructure Security Agency that warned of Chinese hacking operations targeting U.S. critical infrastructure and other sensitive targets.

In the wake of the May 2023 disclosure, U.S. national security officials warned repeatedly that the Chinese operation was not an intelligence collection mission. Instead, officials said, it was a preparatory activity that the Chinese government could use to hobble U.S. efforts to respond if and when China decides to invade Taiwan.

“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities if and when China decides the time has come to strike,” FBI Director Christopher Wray said during a congressional hearing Wednesday focused on Chinese cyber threats. “We can see from where they position themselves across civilian infrastructure that low blows aren’t just a possibility in the event of a conflict — low blows against civilians are part of China’s plan.”

CISA Director Jen Easterly, also testifying before the House Select Committee on the Chinese Communist Party, said the U.S. government has seen a “deeply concerning evolution” in Chinese targeting of civilian critical infrastructure in recent years, “all to ensure that they can incite societal panic and chaos and to deter our ability to marshal military might and civilian will.”


The threat is not “theoretical,” Easterly added, noting that CISA teams have “found and eradicated” Chinese operations across multiple critical infrastructure entities, and that “this is likely just the tip of the iceberg.”

Gen. Paul Nakasone, the commander of U.S. Cyber Command and the director of the NSA, told the committee that the Chinese government was making a deliberate choice to target civilians.

“There’s no reason for them to be in our water,” Nakasone said. “There’s no reason for them to be in our power. This is a decision by an actor to actually focus on civilian targets.”

Easterly pointed to the May 2021 ransomware attack on Colonial Pipeline, and the subsequent disruption to fuel deliveries along the East Coast, as a taste of how the Chinese approach could hobble the U.S.

“Americans couldn’t get to work,” she said. “They couldn’t take their kids to school, get folks to the hospital. It caused a bit of panic. Now, imagine that on a massive scale. Imagine not one pipeline, but many pipelines disrupted. Telecommunications going down so people can’t use their cell phone. People start getting sick from polluted water. Trains get derailed, air traffic control systems, port control systems are malfunctioning. This is truly an everything, everywhere, all at once scenario.”


Liu Pengyu, a Chinese Embassy spokesperson, said in an email to CyberScoop late Wednesday that “the Chinese government has been categorical in opposing hacking attempts and the abuse of information technology. The United States has the strongest cyber technologies of all countries, but has used such technologies in hacking, eavesdropping more than others. We urge the US side to stop making irresponsible criticism against other countries on the issue of cyber-security.”

Updated Jan. 31, 2024: This story has been updated to include a statement from the Chinese Embassy in Washington, D.C.

Latest Podcasts