U.S. government ‘took control’ of a botnet run by Chinese government hackers, says FBI director

The FBI, NSA and other U.S. government agencies detailed a Chinese-government operation that used 260,000 of internet-connected devices to launch cyberattacks.
© 2024 TechCrunch. All rights reserved. For personal use only.

Last week, the FBI took control of a botnet made up of hundreds of thousands of internet-connected devices, such as cameras, video recorders, storage devices, and routers, which was run by a Chinese government hacking group, FBI director Christopher Wray and U.S. government agencies revealed Wednesday.

The hacking group, dubbed Flax Typhoon, was “targeting critical infrastructure across the U.S. and overseas, everyone from corporations and media organizations to universities and government agencies,” Wray said at the Aspen Cyber Summit cybersecurity conference on Wednesday. 

“But working in collaboration with our partners, we executed court-authorized operations to take control of the botnet’s infrastructure,” Wray said, explaining that once the authorities did that, the FBI also removed the malware from the compromised devices. “Now, when the bad guys realized what was happening, they tried to migrate their bots to new servers and even conducted a [Distributed Denial of Service] attack against us.”

When reached by TechCrunch on Wednesday, a spokesperson for the FBI did not provide comment.

This is the latest U.S.-led takedown of infrastructure linked to China-backed hacking efforts and cyberattacks, amid warnings by senior U.S. officials about efforts by China to cause “real-world harm” to Americans in the event of a future conflict with China.

Contact Us

Do you have more information about nation-state cyberattacks? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.

In a joint advisory published on Wednesday, the FBI, the Cyber National Mission Force, and the National Security Agency linked the botnet of compromised 260,000 devices to the Chinese government. According to the advisory, the botnet was used to conceal the operations of Chinese hackers. The U.S. government said the botnet was operated and controlled by Integrity Technology Group, which allegedly works for the Chinese government. 

A representative for Integrity Technology Group did not respond to TechCrunch’s request for comment on Wednesday.

The botnet, according to the advisory, hacked into vulnerable internet-connected devices with Mirai, a notorious malware designed to control a large number of compromised devices, which was open sourced in 2016 after a group of hackers used it to launch the most powerful distributed denial-of-service attacks at the time.

The Flax Typhoon operation targeted a large number of consumer internet-connected devices. The authorities said they found a database of “over 1.2 million records of compromised devices, including over 385,000 unique U.S. victim devices, both previously and actively exploited.”

A table showing the number of Internet of Things devices compromised by Flax Typhoon. (Image: Screenshot/U.S. government)

Earlier this year, Microsoft published a report about Flax Typhoon, saying the group targeted “dozens of organizations” in Taiwan. The tech giant reported that Flax Typhoon has been active since mid-2021, and targeted “government agencies and education, critical manufacturing, and information technology organizations in Taiwan.” 

In a report published on Wednesday, cybersecurity company ESET wrote that it observed Flax Typhoon compromise several Microsoft Exchange servers in Taiwan, targeting “several government organizations, but also a consulting firm, a travel booking software company, and the pharmaceuticals and electronics verticals.”

Earlier this year, the U.S. government disrupted the activities of another Chinese government hacking group known as Volt Typhoon, which has been actively targeting U.S. internet providers and U.S. critical infrastructure. The U.S. government said at the time that Volt Typhoon is preparing to launch cyberattacks with the ability to cause destructive cyberattacks in the event of a future conflict with the United States, such as an anticipated Chinese invasion of Taiwan.

 


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *