FBI agents at work

FBI removes malware from hundreds of routers across the US

The FBI has used a court order to remove malware from hundreds of routers across the US, and alter the routers’ settings to prevent reinfection.

The routers are malware-infected NetGear and Cisco small office/home office (SOHO) devices that no longer receive updates because they have reached their End-of-Life.

The FBI did this because it believed the threat actor behind the botnet of routers is an Advanced Persistent Threat (APT) group known as “Volt Typhoon.”

The US Cybersecurity and Infrastructure Security Agency (CISA) warned US businesses in May, 2023 about Volt Typhoon, an elite squadron of hackers with ties to the Chinese government, that targets high-value entities like governments, large corporations, and critical infrastructure.

On January 31, 2024, FBI  director Christopher Wray warned in a House committee hearing that “cyber hackers working for the Chinese government are preparing to wreak havoc on the US.”

To stop this from happening, the FBI used court-authorized operations to take control of hundreds of routers that Volt Typhoon had been using as gateways to get inside sensitive infrastructure. They used the routers to hide the actual origin of malicious attempts to reach inside the utilities and other targets.

The FBI says it tested the malware removal extensively on the relevant Cisco and NetGear routers, as specified in the court documents, to avoid any impact on the legitimate functions of the hacked routers.

The FBI will inform owners of the affected routers, or their providers if the owner’s contact information is not available.

A router’s owner can reverse these mitigation steps by restarting the router. However, a restart that is not accompanied by mitigation steps similar to those the court order authorized will make the router vulnerable to reinfection.

The FBI warns that:

“The remediated routers remain vulnerable to future exploitation by Volt Typhoon and other hackers, and the FBI strongly encourages router owners to remove and replace any end-of-life SOHO router currently in their networks.”

At the same time, Wray let the House committee know that US cyberdefense is badly outnumbered.

“If you took every single one of the FBI cyber agents, intelligence analysts and focused them exclusively on the China threat, China’s hackers would still outnumber FBI cyber-personnel by at least 50 to 1.”

According to CISA Director Jen Easterly, who also testified before the House select committee on the Chinese Communist Party, it’s likely we’re only seeing the tip of the iceberg.


Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.