The Department of Justice has disrupted a botnet of hundreds of small office and home office routers hijacked by hackers sponsored by the People’s Republic of China in a campaign targeting U.S. critical infrastructure and other organizations. Most of the infected routers were Cisco and NetGear routers that were no longer supported through the manufacturer’s security patches or other software updates. The DOJ’s court-authorized operation deleted the “KV Botnet” malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet.

“China’s hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict,” said FBI Director Christopher Wray. “Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors. Their pre-positioning constitutes a potential real-world threat to our physical safety that the FBI is not going to tolerate. We are going to continue to work with our partners to hit the PRC hard and early whenever we see them threaten Americans.”

In other news, the department charged a Belarusian and Cypriot national with operating an unlicensed digital currency exchange that allegedly received criminal proceeds from numerous computer intrusions and hacking incidents, including ransomware scams.  

“These significant and commendable FBI enforcement actions deal a blow to the dual-natured cyberthreats we are facing as a field,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “First, in terms of nation-state threats, the FBI’s identification and pre-emptive removal of the Volt Typhoon destructive malware is proof positive that Chinese government cyber efforts are no longer solely focused on espionage and data theft. They clearly intend to be in a position to inflict physical harm to our critical infrastructure, impacting the safety of hospitals and all Americans. Given the current and future strategic threat environment, it would be prudent for hospitals and health systems to closely coordinate emergency management and cyber incident response planning to include contingency planning for disruption to utilities and communications. Second, the enforcement action against the unlicensed digital currency exchanger is also significant as it has disrupted a channel for laundering of cybercrime proceeds. Digital currency is fuel for all cybercrime and illegal digital currency exchangers are the filling stations for cybercriminals. Shutting them down is key to reducing the global cyberthreat we all face.” 

For more information on this or other cyber and risk issues, contact Riggi at jriggi@aha.org. For the latest cyber and risk resources and threat intelligence, visit aha.org/cybersecurity

Related News Articles

Headline
Microsoft July 22 released an update on the ongoing cyberattacks to SharePoint servers used within organizations, attributing the incidents to China-based…
Headline
The FBI, Cybersecurity and Infrastructure Security Agency, Department of Health and Human Services, and Multi-State Information Sharing and Analysis Center…
Headline
Microsoft July 19 issued an alert about active attacks from vulnerabilities targeting SharePoint servers used within organizations. The incidents have not…
Headline
In his latest AHA Cyber and Risk Intel blog, Scott Gee, AHA deputy national advisor for cybersecurity and risk, explains how hospitals can prepare for and…
AHA Cyber Intel
In today’s heightened threat environment, driven by domestic and geopolitical issues, it is more critical than ever for hospitals to prepare for and mitigate…
Headline
In a statement submitted to the Senate Health, Education, Labor and Pensions Committee for a hearing today on health care cybersecurity and patient privacy,…