In 2023, Microsoft warned that Volt Hurricane may disrupt US-Asia communications in future crises. Microsoft stated that the group had buried itself in crucial infrastructure by a stealth course of referred to as “residing off the land” designed to cover from antivirus software program.
After US officers disrupted Volt Hurricane’s KV botnet, security researchers at Black Lotus Labs seen that the group had been altering techniques, re-exploiting beforehand compromised units equivalent to NetGear ProSAFE {hardware}. Different compromised units included Cisco RV routers, DrayTek Vigor routers, and Axis IP cameras.
In whole, the botnet contaminated 32% of the 6,613 NetGear ProSAFE units linked to the web at its peak.
Initially, there have been 1,500 lively bots underneath Volt Hurricane’s management, however that quantity fell to 650 by mid-January 2024. The massive drop in numbers got here in late December, when based on Black Lotus Labs, US officers took down the command and management server of the botnet, leaving solely clusters tasked with scanning and reconnaissance.
In keeping with Black Lotus Labs, this group, together with different related state-aligned operations will proceed to make use of related techniques sooner or later.
“We assess that this development of using compromised firewalls and routers will proceed to emerge as a core part of menace actor operations, each to allow entry to high-profile victims and to determine covert infrastructure,” the researchers wrote.