The Justice Department has released details of a court-authorised law enforcement operation that disrupted a botnet inside more than 200,000 consumer devices in the United States and elsewhere, including Australia.
This follows the FBI, Cyber National Mission Force (CNMF), and National Security Agency (NSA) assessing that China-linked cyber actors have compromised internet-connected devices, including small office/home office routers, firewalls, network-attached storage, and Internet of Things devices to create a network of compromised nodes positioned for malicious activity.
As described in court documents unsealed in the Western District of Pennsylvania, state-sponsored hackers working for Integrity Technology Group, a company based in Beijing, and known to the private sector as Flax Typhoon, infected the botnet devices.
Integrity Technology Group has controlled and managed the botnet activity since mid-2021. The botnet has regularly maintained between tens to hundreds of thousands of compromised devices. As of June 2024, the botnet consisted of over 260,000 devices. Victim devices have been observed in North America, South America, Europe, Africa, Southeast Asia and Australia.
The court-authorised operation took control of the hackers’ computer infrastructure and, among other steps, sent disabling commands through that infrastructure to the malware on the infected devices. During the course of the operation, there was an attempt to interfere with the FBI’s remediation efforts through a distributed denial-of-service attack targeting the operational infrastructure that the FBI was utilising to effectuate the court’s orders. That attack was ultimately unsuccessful in preventing the FBI’s botnet disruption.
“The Justice Department is zeroing in on the Chinese government-backed hacking groups that target the devices of innocent Americans and pose a serious threat to our national security,” said Attorney General Merrick B. Garland. “As we did earlier this year, the Justice Department has again destroyed a botnet used by PRC-backed hackers to infiltrate consumer devices in the United States and worldwide. We will continue to aggressively counter the threat that China’s state-sponsored hacking groups pose to the American people.”
According to the court documents, Integrity Technology Group built an online application allowing its customers to log in and control specified infected victim devices, including a menu of malicious cyber commands using a tool called ‘vulnerability-arsenal.’ The online application was prominently labelled ‘KRLab,’ one of the main public brands used by Integrity Technology Group.
The FBI also assessed that Integrity Technology Group, in addition to developing and controlling the botnet, is responsible for computer intrusion activities attributed to China-based hackers known by the private sector as Flax Typhoon. Microsoft Threat Intelligence described Flax Typhoon as nation-state actors based out of China, active since 2021, who have targeted government agencies and education, critical manufacturing, and information technology organisations in Taiwan, and elsewhere. The FBI’s investigation has corroborated Microsoft’s conclusions, finding that Flax Typhoon has successfully attacked multiple US and foreign corporations, universities, government agencies, telecommunications providers, and media organisations.
While devices aged beyond their end-of-life dates are known to be more vulnerable to intrusion, many of the compromised devices in the Integrity Tech-controlled botnet are likely still supported by their respective vendors.
The government’s malware disabling commands, which interacted with the malware’s native functionality, were extensively tested before the operation. As expected, the operation did not affect the legitimate functions of or collect content information from the infected devices. The FBI is providing notice to US owners of devices that were affected by this court-authorised operation. The FBI is contacting those victims through their internet service provider, who will provide notice to their customers.
The FBI’s San Diego Field Office and Cyber Division, the US Attorney’s Office for the Western District of Pennsylvania, and the National Security Cyber Section of the Justice Department’s National Security Division led the domestic disruption effort.
Concurrently, the FBI, CNMF, NSA, and allied partners have released a Joint Cyber Security Advisory to highlight the threat posed by these actors and their botnet activity and to encourage exposed device vendors, owners, and operators to update and secure their devices from being compromised and joining the botnet. The agencies advise network defenders to follow the guidance in the mitigations section to protect against the PRC-linked cyber actors’ botnet activity. Cybersecurity companies can also leverage the information in the advisory to assist with identifying malicious activity and reducing the number of devices present in botnets worldwide.