Black Lotus Labs, the threat research and intelligence arm of Lumen Technologies, has discovered and stopped a malicious botnet used by nation state cyber actors supporting Volt Typhoon operations. The KV-botnet targeted critical infrastructure providers and municipal governments in Guam, US and other regions, creating a serious threat to US businesses and strategic interests.
The botnet, discovered and named KV-botnet by Black Lotus Labs, uses sophisticated malware to create hidden channels on infected small office/home office (SOHO) routers and firewalls, forming a secret network for data transmission. Black Lotus Labs detected KV-botnet activity on its global backbone and traced it to the control servers run by threat actors. The team then null routed, or dropped, the malicious IP addresses, blocking access to the compromised devices and stopping further attacks on critical infrastructure.
According to Lumen, since the beginning of 2022, a sophisticated and secretive group of cyber actors has been running the KV-botnet, which has connections to Volt Typhoon.
Mark Dehus, Senior Director, Threat Intelligence, Lumen Black Lotus Labs
KV-botnet is a new discovery signaling an escalation in the abuse of network and security devices to hide secret operations against some of our nation's most vital networks. Blocking the threat actor's infrastructure across Lumen's network disrupts the botnet's ability to operate and helps combat dangerous and highly skilled nation state threats like Volt Typhoon. Black Lotus Labs is releasing the information about the threat's operations so critical infrastructure providers, the defense industrial base, commercial businesses, and even end consumers can be aware of this activity and take steps to defend against it.