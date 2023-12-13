Lumen’s Black Lotus Labs exposes Chinese cyber actor behind Volt Typhoon attacks on telecom, government and green energy sectors

DENVER, Dec. 13, 2023 /PRNewswire/ — In a major win for national security, Black Lotus Labs, the threat research and intelligence arm of Lumen Technologies (NYSE: LUMN), took down a malicious botnet used by the Chinese nation state Discovered and stopped him. Cyber ​​actors supporting Volt Typhoon operations. The KV-botnet targeted critical infrastructure providers and municipal governments in Guam and other territories, posing a serious threat to US businesses and strategic interests.

To learn more about how Black Lotus Labs exposed KV-Botnet, detected activities associated with the People’s Republic of China, and disrupted their operational infrastructure, read Routers Roasting on Open Firewalls: KV-Botnet Investigation Read.

Mark Dehus, senior director of threat intelligence at Lumen Black Lotus Labs, said, “KV-Botnet is a new discovery that reflects the rise in misuse of network and security tools to conceal covert operations against some of our nation’s most critical networks. Gives a signal.” “Blocking threat actor infrastructure in Lumen’s network disrupts botnets’ ability to operate and helps combat dangerous and highly skilled nation state threats like Volt Typhoon.” About Black Lotus Labs Threat Operations Is releasing information, so critical infrastructure providers, defense industrial bases, commercial businesses, and even end consumers can be aware of this activity and take steps to protect against it.”

how it works:

The botnet, discovered by Black Lotus Labs and named KV-Botnet, uses sophisticated malware to create hidden channels on infected small office/home office (SOHO) routers and firewalls, creating a covert network for data transmission. Black Lotus Labs detected KV-botnet activity on its global backbone and traced it to control servers run by threat actors associated with China. The team then routed or removed the malicious IP addresses, blocking access to the compromised devices and preventing further attacks on critical infrastructure.

why it matters:

Since early 2022, a sophisticated and covert group of cyber actors has been running the KV-botnet, which has connections to Volt Typhoon. Microsoft and other security researchers have held the Chinese government responsible for this network.

Using the KV-botnet, Volt Typhoon can send covert communication channels that bypass security barriers and firewalls and merge with normal network traffic. This botnet was essential to their strategic intelligence collection operations, helping them accomplish their long-term goals. The campaign targeted devices beyond the reach of traditional security detection teams, a deliberate layer of obscurity for covert operations.

Black Lotus Labs also shared its findings and evidence with the broader security research community to help them protect their networks from the threat posed by these types of hidden networks.

Tips for businesses and consumers:

Occupations:

Keep an eye out for large amounts of data leaving your network, even if they appear to be going to nearby locations. Geofencing will not protect you from these activities.

Use advanced security solutions like Secure Access Service Edge (SASE) to detect and prevent suspicious network activity.

Consumer:

This is the fourth malware campaign that Black Lotus Labs has detected using compromised small office/home office (SOHO) routers this year. The infosec industry has seen activity by China-based actors against several verticals.

