U.S. Officials Stop Another China-Backed Botnet Attack

On September 19, U.S. authorities announced the successful dismantling of a botnet linked to China, freeing hundreds of thousands of compromised devices in the process. FBI Director Christopher Wray made this revelation during a keynote address at a cybersecurity summit in Washington, D.C.

The malicious botnet was reportedly operated by a hacker group backed by the Chinese government, known as Flax Typhoon. This group had targeted a range of entities, including critical infrastructure, public and private sectors, as well as academic institutions and media organizations both in the U.S. and abroad.

A botnet comprises numerous computers infected with malware and controlled by hackers. In this instance, it included hundreds of thousands of internet-connected devices, such as routers, cameras, digital video recorders, and storage devices. These compromised devices were utilized by the hackers to infiltrate systems and extract sensitive information.

Last week, federal authorities took action to dismantle the network of infected devices. The Justice Department reported that over 200,000 of these compromised devices were located in the United States, making up more than half of the entire botnet.

This substantial number of infected devices allowed the hackers to engage in harmful cyber activity while masquerading as regular internet traffic.

Utilizing a court-approved operation, U.S. law enforcement gained control of the malware infrastructure, rendering the hijacked devices unusable for the hackers. During this operation, attempts by Chinese hackers to thwart the disbanding effort were unsuccessful.

Wray highlighted that Flax Typhoon had been operating under the guise of a legitimate information security firm called Integrity Technology Group, which is based in Beijing. The Justice Department noted that this company had developed an application that enabled its clients to remotely access and control infected devices, providing a menu of harmful cyber commands via a tool known as “vulnerability-arsenal.”

Furthermore, Wray mentioned that the chairman of Integrity Technology Group had publicly claimed to have gathered intelligence and conducted reconnaissance for Chinese government security agencies for years.

“This was another successful disruption, but make no mistake: It’s just one round in a much longer fight,” Wray stated, emphasizing that the Chinese government continues to pose threats to U.S. organizations and critical infrastructure. He pledged that U.S. authorities would collaborate with partners to identify malicious behaviors, disrupt hacking efforts, and raise awareness about these threats.

This announcement follows a separate incident in January, where U.S. authorities disrupted a China-affiliated malware botnet that solely targeted routers, infecting hundreds of home office routers managed by the Volt Typhoon hacking group, also connected to the Chinese Communist Party.

In late August, Microsoft had released a threat intelligence memo that identified Flax Typhoon as a state-sponsored group targeting numerous organizations in Taiwan and beyond. The memo confirmed that these hackers had been active since mid-2021.

Wray remarked that the Flax Typhoon botnet had inflected considerable damage upon its victims, citing an example of a California-based company that endured a severe cybersecurity incident. This incident required all hands on deck, resulting in extensive overtime for IT staff as they worked to resolve threats and replace compromised hardware. This process caused major disruptions and significant financial losses for the organization.

Additionally, the National Security Agency, in collaboration with allies from Australia, Canada, New Zealand, and the United Kingdom, issued an advisory outlining the tactics, techniques, and procedures employed by Integrity Technology Group. This joint advisory serves as a warning regarding the ongoing threats posed by the botnet backed by the People’s Republic of China, which continues to jeopardize U.S. networks and infrastructure.

U.S. cyber authorities released a joint advisory urging stakeholders to remain vigilant against these potential threats and to implement recommended mitigations to safeguard their networks.