Researchers from Black Lotus Labs Lumen have discovered that the advanced botnet network known as KV-Botnet is directly associated with the Chinese hacker group Volt Typhoon.
KV-Botnet, which has been active since February 2022, is a malicious botnet that primarily targets low-power devices in the SOHO category.
Between July and August of last year, the botnet was observed targeting devices such as the Cisco RV320, Draytek Vigor, and Netgear Prosafe. Later, in December, the focus shifted towards AXIS IP cameras, specifically the M1045-LW, M1065-LW, and P1367-E models.
According to Microsoft, Volt Typhoon hackers successfully infiltrated critical infrastructure organizations in the United States and Guam, remaining undetected for a considerable period of time. The Chinese hackers’ objective was to create opportunities for compromising the critical communication infrastructure between the United States and Asia during future crises.
Since mid-2021, Volt Typhoon has actively conducted cyber operations against critical infrastructure in various countries, targeting organizations related to communications, production, energy, transport, construction, naval, public administration, information technology, and education.
To evade detection, the group frequently employs techniques that rely on the resources of infected devices and actively controls the infection process.
Black Lotus Labs researchers have determined that the KV-Botnet infection process is multi-stage, however, the initial infection mechanism remains unidentified.
Changes in the botnet’s structure and the utilization of IP cameras prior to the onset of winter signify preparations for a new campaign. Researchers suggest that this could indicate an escalation in hacker activity during the holiday season.
It is worth noting that cybercriminals will continue to target outdated SOHO devices to establish hidden infrastructure. These devices are favored due to their vulnerability and lack of resources for detecting and analyzing malicious activity.
The study underscores that the use of KV-Botnet is primarily linked to China-related actions and is predominantly focused on strategic interests in the Indo-Pacific region, including internet providers and government organizations.