high_confidence

KV Botnet Activity

[KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) consisted of exploitation of primarily “end-of-life” small office-home office (SOHO) equipment from manufacturers such as Cisco, NETGEAR, and DrayTek. [KV Botnet Activity](https://attack.mitre.org/campaigns/C0035) was used by [Volt Typhoon](https://attack.mitre.org/groups/G1017) to obfuscate connectivity to victims in multiple critical infrastructure segments, including energy and telecommunication companies and entities based on the US territory of Guam. While the KV Botnet is the most prominent element of this campaign, it overlaps with another botnet cluster referred to as the JDY cluster.(Citation: Lumen KVBotnet 2023) This botnet was disrupted by US law enforcement entities in early 2024 after periods of activity from October 2022 through January 2024.(Citation: DOJ KVBotnet 2024)

Start date

1 October 2022

End date

1 January 2024

Techniques

Attributed actors

Volt Typhoon· primary

Techniques (20)

command-and-control4

T1573Encrypted Channel

T1095Non-Application Layer Protocol

T1105Ingress Tool Transfer

T1571Non-Standard Port

defense-impairment2

T1685Disable or Modify Tools

T1222.002Linux and Mac Permissions

discovery5

T1057Process Discovery

T1082System Information Discovery

T1518.001Security Software Discovery

T1083File and Directory Discovery

T1016System Network Configuration Discovery

execution1

T1059.004Unix Shell

persistence1

T1546Event Triggered Execution

privilege-escalation2

T1546Event Triggered Execution

T1055.009Proc Memory

resource-development2

T1584.008Network Devices

T1583.003Virtual Private Server

stealth5

T1036.004Masquerade Task or Service

T1070.004File Deletion

T1564.013Bind Mounts

T1036Masquerading

T1055.009Proc Memory

Indicators of compromise

No IOCs linked to this campaign yet.