DOJ disrupts Chinese hacker effort to use malware to hijack US-based routers
The Justice Department announced Wednesday it has successfully disrupted an effort by Chinese government-sponsored hackers to target U.S. critical infrastructure networks using a malware that had hijacked "hundreds" of home and small business routers.
Through a court-authorized operation launched last month, U.S. officials say they were able to dismantle the botnet by removing the malware inside the U.S.-based victim routers and also took further steps to prevent the routers from being reinfected.
In a background call with reporters Wednesday, officials declined to go into specific details regarding the critical infrastructure networks that were targeted by the Chinese hacking group -- known as 'Volt Typhoon,' but in remarks to Congress on Wednesday FBI Director Chris Wray called out China for its efforts to target "water treatment plants, our electrical grid, our oil and natural gas pipelines, our transportation systems."
"The Volt Typhoon malware enabled China to hide, among other things, pre-operational, reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, water sectors -- steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous," he said. "And let's be clear, cyber threats to our critical infrastructure represent real world threats to our physical safety. So, working with our partners, the FBI ran a court authorized on network operation to shut down full typhoon and the access enabled."
The fear repeatedly expressed by U.S. officials is that China could use such malware to significantly disrupt Americans' daily lives or even impact a U.S. military response during a moment of global crisis – such as a Chinese invasion of Taiwan.
"China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike," Wray told Congress on Wednesday.
In the operation last month, officials said the "vast majority" of compromised routers were Cisco and NetGear routes that were easy to access because they were old – and no longer received the standard security patches or software updates from their manufacturers.
Officials said that the owners of the impacted devices were "by and large, every day American citizens and small businesses" who the Chinese hackers were effectively using as a node to route traffic through to conceal their activity. After securing the search and seizure order last month, officials deleted the malware from the impacted servers and modified firewall rules to prevent further communications with the critical infrastructure networks.
The FBI said it is in the process of contacting impacted device owners to ensure they update their routers.