The threat actors behind the KV-botnet made “behavioral changes” to the malicious network as U.S. law enforcement began issuing commands to neutralize the activity.

KV-botnet is the name given to a network of compromised small office and home office (SOHO) routers and firewall devices across the world, with one specific cluster acting as a covert data transfer system for other Chinese state-sponsored actors, including Volt Typhoon (aka Bronze Silhouette, Insidious Taurus, or Vanguard Panda).

Active since at least February 2022, it was first documented by the Black Lotus Labs team at Lumen Technologies in mid-December 2023. The botnet is known to comprise two main sub-groups, viz. KV and JDY, with the latter principally used for scanning potential targets for reconnaissance.

Late last month, the U.S. government announced a court-authorized disruption effort to take down the KV cluster, which is typically reserved for manual operations against high-profile targets chosen after broader scanning via the JDY sub-group.

Now, according to new findings from the cybersecurity firm, the JDY cluster fell silent for roughly fifteen days following public disclosure and as a byproduct of the U.S. Federal Bureau of Investigation (FBI) undertaking.

“In mid-December 2023, we observed this activity cluster hovering around 1,500 active bots,” security researcher Ryan English said. “When we sampled the size of this cluster in mid-January 2024 its size dwindled to approximately 650 bots.”

Given that the takedown actions began with a signed warrant issued on December 6, 2023, it’s fair to assume that the FBI began transmitting commands to routers located in the U.S. sometime on or after that date to wipe the botnet payload and prevent them from being re-infected.

“We observed the KV-botnet operators begin to restructure, committing eight straight hours of activity on December 8, 2023, nearly ten hours of operations the following day on December 9, 2023, followed by one hour on December 11, 2023,” Lumen said in a technical report shared with The Hacker News.

During this four-day period, the threat actor was spotted interacting with 3,045 unique IP addresses that were associated with NETGEAR ProSAFEs (2,158), Cisco RV320/325 (310), Axis IP cameras (29), DrayTek Vigor routers (17), and other unidentified devices (531).

Also observed in early December 2023 was a massive spike in exploitation attempts from the payload server, indicating the adversary’s likely attempts to re-exploit the devices as they detected their infrastructure going offline. Lumen said it also took steps to null-route another set of backup servers that became operational around the same time.

It’s worth noting that the operators of the KV-botnet are known to perform their own reconnaissance and targeting while also supporting multiple groups like Volt Typhoon. Interestingly, the timestamps associated with exploitation of the bots correlates to China working hours.

“Our telemetry indicates that there were administrative connections into the known payload servers from IP addresses associated with China Telecom,” Danny Adamitis, principal information security engineer at Black Lotus Labs, told The Hacker News.

What’s more, the press statement from the U.S. Justice Department described the botnet as controlled by “People’s Republic of China (PRC) state-sponsored hackers.”

This raises the possibility that the botnet “was created by an organization supporting the Volt Typhoon hackers; whereas if the botnet was created by Volt Typhoon, we suspect they would have said ‘nation-state’ actors,” Adamitis added.

There are also signs that the threat actors established a third related-but-distinct botnet cluster dubbed x.sh as early as January 2023 that’s composed of infected Cisco routers by deploying a web shell named “fys.sh,” as highlighted by SecurityScorecard last month.

But with KV-botnet being just “one form of infrastructure used by Volt Typhoon to obfuscate their activity,” it’s expected that the recent wave of actions will prompt the advanced persistent threat (APT) actors to presumably transition to another covert network in order to meet their strategic goals.

“A significant percent of all networking equipment in use around the world is functioning perfectly well, but is no longer supported,” English said. “End users have a difficult financial choice when a device reaches that point, and many aren’t even aware that a router or firewall is at the end of its supported life.

“Advanced threat actors are well aware that this represents fertile ground for exploitation. Replacing unsupported devices is always the best choice, but not always feasible.”

“Mitigation involves defenders adding their edge devices to the long list of those they already have to patch and update as often as available, rebooting devices and configuring EDR or SASE solutions where applicable, and keeping an eye on large data transfers out of the network. Geofencing is not a defense to rely on, when the threat actor can hop from a nearby point.”