State-sponsored hackers affiliated with China have targeted small office/home office routers in the U.S. in a wide-ranging botnet attack, Federal Bureau of Investigation Director Christopher Wray announced on Wednesday, Jan. 31. Most of the affected routers were manufactured by Cisco and NetGear and had reached end-of-life status.

Department of Justice investigators said on Jan. 31, 2024, that the malware has been deleted from affected routers. The investigators also cut the routers off from other devices used in the botnet.

IT teams need to know how to reduce cybersecurity risks that could stem from remote workers using outdated technology.

What is the Volt Typhoon botnet attack?

The cybersecurity threat in this case is a botnet created by Volt Typhoon, a group of attackers sponsored by the Chinese government.

Starting in May 2023, the FBI looked into a cyberattack campaign against critical infrastructure organizations. On Jan. 31, 2024, the FBI revealed that an investigation into the same group of threat actors in December 2023 showed attackers sponsored by the government of China had created a botnet using hundreds of privately-owned routers across the U.S.

The attack was an attempt to create inroads into “communications, energy, transportation, and water sectors” in order to disrupt critical U.S. functions in the event of conflict between the countries, said Wray in the press release.

SEE: Multiple security companies and U.S. agencies have their eyes on Androxgh0st, a botnet targeting cloud credentials. (TechRepublic) 

The attackers used a “living off the land” technique to blend in with the normal operation of the affected devices.

The FBI is contacting anyone whose equipment was affected by this specific attack. It hasn’t been confirmed whether employees of a particular organization were targeted.

How to reduce cybersecurity risks from botnets for remote workers

The fact that the targeted routers are privately owned highlights a security risk for IT pros trying to keep remote workers safe. With IT members not overseeing the routers used at home, it is difficult to know whether employers may be using old or even end-of-life routers.

Botnets are often used to launch distributed denial of service attacks or to distribute malware, so defenses against those are important components of a complete defense against botnets. Botnets are typically led by a centralized command and control server.

Organizations should ensure they have good endpoint protection and proactive defenses, such as:

Software and hardware should be kept up to date, since end-of-life devices are particularly vulnerable. In order to harden devices against being used in botnet attacks, run regular security scans, institute multifactor authentication and keep employees informed about cybersecurity best practices.

“Proactively conducting thorough tech inventories of assets beyond the traditional office is essential,” said Demi Ben-Ari, chief technology officer of third-party risk management technology firm Panorays, in an email to TechRepublic. “This approach assists in identifying outdated technology, ensuring that remote workers have up-to-date and secure equipment.”

“While remote work introduces potential vulnerabilities due to varied environments, it is important to note that similar attacks could occur in an office setting,” Ben-Ari said.