In December 2023, the FBI conducted an operation to remove infected systems in the United States, which are controlled by KV Botnet Botnet. The campaign was aimed at undermining the infrastructure of the Volt Typhoon group, related to China and specializing in attacks on critically important infrastructure.
Despite the elimination of a significant number of infected devices, the main control infrastructure of the botnet remained untouched, which was probably an intentional attempt to provoke the reaction from the administrators.
KV Botnet is a network of infected routers and firewall devices for small office and home use (SOHO) around the world, some of which are used by Chinese state hackers for secretly data transfer. At the end of January 2024, the US government announced a large -scale operation to liquidate the KV cluster. After that, as a result of the actions of the FBI, the JDY cluster also ceased activity for about two weeks.
KV Botnet demonstrates rare stability, despite numerous attempts to neutralize by researchers and law enforcement agencies. Over the past time, the operators only changed hosting providers, leaving the network architecture almost unchanged. This approach contrasts sharply with the level of technical complexity, which Volt Typhoon demonstrates in attacks on targeted organizations. This raises questions about the real role of this group in the control of Botnet.
experts were able to to track the activity of Botnet infrastructure, especially the so-called jdy- Cluster, which was first described in 2023. The cluster uses the vulnerabilities of the Cisco RV320 and RV325 routers to spread malicious code. In mid-November 2023, infected devices began to contact the new C2 servers that used the updated certificate with the signature “Jdyfj”. The certificate made it possible to identify a number of IP addresses used to control.
servers located on IP addresses 45.32.174 [.] 131 and 45.63.60 [.] 39, were activated after the intervention of the FBI. This confirms the hypothesis that Botnet administrators are taking minimum measures to restore work, focusing on changing hosting providers. In April 2024, the Office’s servers again moved, which was probably done to difficult further operations to detect them. Currently, researchers have identified three active hosts (Australia, USA and Singapore) using a new certificate.
The report raises questions about the real connection between KV Botnet and Volt Typhoon. Although the actions of the group are aimed at secrecy and minimal use of tools, Botnet operators did not take significant steps to mask their infrastructure after exposure from the FBI and researchers. Perhaps the control of Botnet is carried out by another structure, indirectly related to Volt Typhoon.