{ "id": "b54e2ba3-2f49-45e2-ab4d-f0b91f4ed819", "created_at": "2026-04-06T15:52:57.189892Z", "updated_at": "2026-04-10T03:34:44.476839Z", "deleted_at": null, "sha1_hash": "965be2736d17ea6aebb711978602296fd12e018c", "title": "U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 72199, "plain_text": "U.S. Government Disrupts Botnet People’s Republic of China Used\r\nto Conceal Hacking of Critical Infrastructure\r\nPublished: 2024-01-31 · Archived: 2026-04-06 15:34:18 UTC\r\nNote: Since the publication of this press release, U.S. Government and foreign partner agencies have issued\r\nadditional cybersecurity advisories (CSAs), and completed a Volt Typhoon Malware Analysis Report\r\n. Click to view the February 2024 CSAs on:\r\nPRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure\r\nhttps://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical\r\nPage 1 of 6\n\nIdentifying and Mitigating Living Off the Land Techniques\r\nPRC State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders\r\nA December 2023 court-authorized operation has disrupted a botnet of hundreds of U.S.-based small office/home\r\noffice (SOHO) routers hijacked by People’s Republic of China (PRC) state-sponsored hackers.\r\nThe hackers, known to the private sector as “Volt Typhoon,” used privately-owned SOHO routers infected with\r\nthe “KV Botnet” malware to conceal the PRC origin of further hacking activities directed against U.S. and other\r\nforeign victims. These further hacking activities included a campaign targeting critical infrastructure organizations\r\nin the United States and elsewhere that was the subject of a May 2023 FBI, National Security Agency,\r\nCybersecurity and Infrastructure Security Agency (CISA), and foreign partner advisory\r\nhttps://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical\r\nPage 2 of 6\n\n. The same activity has been the subject of private sector partner advisories in May\r\nand December\r\nhttps://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical\r\nPage 3 of 6\n\n2023, as well as an additional secure by design alert\r\nreleased today by CISA.\r\nThe vast majority of routers that comprised the KV Botnet were Cisco and NetGear routers that were vulnerable\r\nbecause they had reached “end of life” status; that is, they were no longer supported through their manufacturer’s\r\nsecurity patches or other software updates. The court-authorized operation deleted the KV Botnet malware from\r\nthe routers and took additional steps to sever their connection to the botnet, such as blocking communications with\r\nother devices used to control the botnet.\r\n“The Justice Department has disrupted a PRC-backed hacking group that attempted to target America’s critical\r\ninfrastructure utilizing a botnet,” said Attorney General Merrick B. Garland. “The United States will continue to\r\ndismantle malicious cyber operations – including those sponsored by foreign governments – that undermine the\r\nsecurity of the American people.”\r\nhttps://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical\r\nPage 4 of 6\n\n“In wiping out the KV Botnet from hundreds of routers nationwide, the Department of Justice is using all its tools\r\nto disrupt national security threats – in real time,” said Deputy Attorney General Lisa O. Monaco.  “Today’s\r\nannouncement also highlights our critical partnership with the private sector – victim reporting is key to fighting\r\ncybercrime, from home offices to our most critical infrastructure.”\r\n“China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world\r\nharm to American citizens and communities in the event of conflict,” said FBI Director Christopher Wray. “Volt\r\nTyphoon malware enabled China to hide as they targeted our communications, energy, transportation, and water\r\nsectors. Their pre-positioning constitutes a potential real-world threat to our physical safety that the FBI is not\r\ngoing to tolerate. We are going to continue to work with our partners to hit the PRC hard and early whenever we\r\nsee them threaten Americans.”\r\n“Today, the FBI and our partners continue to stand firmly against People's Republic of China cyber actors that\r\nthreaten our nation's cyber security,” said FBI Deputy Director Paul Abbate. “We remain committed to thwarting\r\nmalicious activities of this type and will continue to disrupt and dismantle cyber threats, safeguarding the fabric of\r\nour cyber infrastructure.”\r\n“This operation disrupted the efforts of PRC state-sponsored hackers to gain access to U.S. critical infrastructure\r\nthat the PRC would be able to leverage during a future crisis,” said Assistant Attorney General Matthew G. Olsen\r\nof the Justice Department’s National Security Division. “The operation, together with the release of valuable\r\nnetwork defense guidance by the U.S. government and private sector partners, demonstrates the Department of\r\nJustice’s commitment to enhance cybersecurity and disrupt efforts to hold our critical infrastructure at risk.”\r\n“Using traditional law enforcement tools to disrupt state-of-the-art technologies, the U.S. Attorney’s Office for the\r\nSouthern District of Texas protected Americans from PRC government-sponsored cyber-criminals who used U.S.\r\nbased routers to hack into American targets,” said U.S. Attorney Alamdar S. Hamdani for the Southern District of\r\nTexas. “This case demonstrates my office’s ongoing commitment to defending our critical infrastructure from\r\nPRC initiated cyber-attacks. We thank the FBI and the Justice Department’s National Security Division for its\r\nwork, and we will continue to work shoulder to shoulder with them to shield our country from state-sponsored\r\nhackers.”\r\n“The FBI’s dismantling of the KV Botnet sends a clear message that the FBI will take decisive action to protect\r\nour nation’s critical infrastructure from cyber-attacks,” said Special Agent in Charge Douglas Williams of the FBI\r\nHouston Field Office. “By ensuring home and small-business routers are replaced after their end-of-life\r\nexpiration, everyday citizens can protect both their personal cyber security and the digital safety of the United\r\nStates. We need the American public’s vigilance and support to continue our fight against malicious PRC-sponsored cyber actors.”\r\nAs described in court documents, the government extensively tested the operation on the relevant Cisco and\r\nNetGear routers. The operation did not impact the legitimate functions of, or collect content information from,\r\nhacked routers. Additionally, the court-authorized steps to disconnect the routers from the KV Botnet and prevent\r\nreinfection are temporary in nature. A router’s owner can reverse these mitigation steps by restarting the router.\r\nHowever, a restart that is not accompanied by mitigation steps similar to those the court order authorized will\r\nmake the router vulnerable to reinfection.\r\nhttps://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical\r\nPage 5 of 6\n\nThe FBI is providing notice of the court-authorized operation to all owners or operators of SOHO routers that\r\nwere infected with the KV Botnet malware and remotely accessed pursuant to the operation. For those victims\r\nwhose contact information was not publicly available, the FBI has contacted providers (such as a victim’s internet\r\nservice provider) and has asked those providers to provide notice to the victims.\r\nFBI Houston Field Office and Cyber Division, U.S. Attorney’s Office for the Southern District of Texas, and\r\nNational Security Cyber Section of the Justice Department’s National Security Division led the disruption effort.\r\nThe Justice Department’s Criminal Division’s Computer Crime and Intellectual Property Section and Office of\r\nInternational Affairs provided valuable assistance. These efforts would not have been successful without the\r\npartnership of numerous private-sector entities.\r\nIf you believe you have a compromised router, please visit the FBI’s Internet Crime Complaint Center or report\r\nonline to CISA\r\n. The remediated routers remain vulnerable to future exploitation by Volt Typhoon and other hackers, and the FBI\r\nstrongly encourages router owners to remove and replace any end-of-life SOHO router currently in their networks.\r\nThe FBI continues to investigate Volt Typhoon’s computer intrusion activity.\r\nSource: https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical\r\nhttps://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical" ], "report_names": [ "us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775490777, "ts_updated_at": 1775792084, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/965be2736d17ea6aebb711978602296fd12e018c.pdf", "text": "https://archive.orkl.eu/965be2736d17ea6aebb711978602296fd12e018c.txt", "img": "https://archive.orkl.eu/965be2736d17ea6aebb711978602296fd12e018c.jpg" } }