FBI and DOJ disrupt campaign targeting critical infrastructure through small/home office routers and cybercrime money laundering operation

Feb 05, 2024 - 03:11 PM
cybersecurity-hand-lock-graphic_900x400

The Department of Justice has disrupted a botnet of hundreds of small office and home office routers hijacked by hackers sponsored by the People’s Republic of China in a campaign targeting U.S. critical infrastructure and other organizations. Most of the infected routers were Cisco and NetGear routers that were no longer supported through the manufacturer’s security patches or other software updates. The DOJ’s court-authorized operation deleted the “KV Botnet” malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet.

“China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict,” said FBI Director Christopher Wray. “Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors. Their pre-positioning constitutes a potential real-world threat to our physical safety that the FBI is not going to tolerate. We are going to continue to work with our partners to hit the PRC hard and early whenever we see them threaten Americans.”

In other news, the department charged a Belarusian and Cypriot national with operating an unlicensed digital currency exchange that allegedly received criminal proceeds from numerous computer intrusions and hacking incidents, including ransomware scams.  

“These significant and commendable FBI enforcement actions deal a blow to the dual-natured cyberthreats we are facing as a field,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “First, in terms of nation-state threats, the FBI’s identification and pre-emptive removal of the Volt Typhoon destructive malware is proof positive that Chinese government cyber efforts are no longer solely focused on espionage and data theft. They clearly intend to be in a position to inflict physical harm to our critical infrastructure, impacting the safety of hospitals and all Americans. Given the current and future strategic threat environment, it would be prudent for hospitals and health systems to closely coordinate emergency management and cyber incident response planning to include contingency planning for disruption to utilities and communications. Second, the enforcement action against the unlicensed digital currency exchanger is also significant as it has disrupted a channel for laundering of cybercrime proceeds. Digital currency is fuel for all cybercrime and illegal digital currency exchangers are the filling stations for cybercriminals. Shutting them down is key to reducing the global cyberthreat we all face.” 

For more information on this or other cyber and risk issues, contact Riggi at jriggi@aha.org. For the latest cyber and risk resources and threat intelligence, visit aha.org/cybersecurity

Related News Articles

Headline
Advisory details shifting tactics of Chinese cyber actors using covert networks for malicious activity
A joint advisory released April 23 from U.S. and international cybersecurity agencies, including the Cybersecurity and Infrastructure Security Agency, FBI,…
Headline
FBI Co-deputy Director Andrew Bailey discusses current cyber and physical threats, rise of AI
FBI Co-deputy Director Andrew Bailey discussed a rise in cyber and physical threats impacting health care. He discussed health care as the top critical…
Headline
FBI: Health care was top target for ransomware, other cyberthreats in 2025 
Health care and public health was the top sector targeted for cyberthreats in 2025, according to the FBI’s latest annual report on internet crimes. There were…
Headline
Alerts warn F5 BIG-IP vulnerability being exploited for malicious activity 
The Cybersecurity and Infrastructure Security Agency released an alert March 27 on a vulnerability in F5 BIG-IP Access Policy Manager software that is being…
Headline
Alert warns of cyber actors using Telegram messaging app to push malware 
The FBI released an alert March 20 warning of a technique used by cyber actors working on behalf of the Iranian government to conduct malicious cyber activity…
Headline
CISA urges organizations to harden endpoint management systems following Stryker cyberattack
The Cybersecurity and Infrastructure Security Agency March 18 released an alert urging U.S. organizations to harden their endpoint management systems following…