Sept. 19 (UPI) — U.S. authorities have thwarted another China-backed botnet, freeing hundreds of thousands of infected devices in the process, FBI Director Christopher Wray said.
The head of the United States’ domestic intelligence and security service made the announcement Wednesday during his keynote speech at a cyber summit in Washington, D.C.
He said the botnet was operated by the Chinese government-sponsored hacker group known as Flax Typhoon who used it to target critical infrastructure in the United States and overseas as well as public and private entities and those in academia and the media.
A botnet is a collection of computers hijacked by hackers via malware, and in this case consisted of hundreds of thousands of Internet-connected devices from routers to cameras, digital video recorders and storage devices that the hackers used to “compromise systems and exfiltrate confidential data,” he said.
The network of infected devices was dismantled by federal authorities last week, with the Justice Department on Wednesday explaining in a statement that more than 200,000 infected devices, constituting more than half of the botnet, were located in the United States.
According to the Justice Department, these devices gave the hackers the ability to conduct malicious cyberactivity under the guise of routine Internet traffic.
A court-authorized law enforcement operation saw U.S. authorities take control of the malicious infrastructure and disabled the hackers from using the infected devices.
Authorities said that during the disbanding operation, Chinese hackers attempted but failed to intervene.
He also identified for the first time that Flax Typhoon operates under the guise of being a legitimate information security company known as the Integrity Technology Group, which is based in Beijing.
According to the Justice Department, the company had built an online application that allowed customers to log in and control specified infected victim devices, including with a menu of malicious cyber commands using a tool called “vulnerability-arsenal.”
Wray added that the company’s chairman has publicly stated that for years they have collected intelligence and performed reconnaissance for Chinese government security agencies.
“This was another successful disruption, but make no mistake: It’s just one round in a much longer fight,” Wray said.
“The Chinese government is going to continue to target your organizations and our critical infrastructure — either by their own hand or concealed through their proxies. And we’ll continue to work with our partners to identify their malicious activity, disrupt their hacking campaigns, and bring them to light.”
U.S. authorities in January disrupted a China-backed malware botnet that consisted of only routers. Hundreds of U.S. home office routers had been infected by the Chinese Communist Party-backed hackers known as Volt Typhoon, before it was similarly dismantled by U.S. authorities.
In late August, Microsoft had issued a threat intelligence memo identifying Flax Typhoon as “a nation-state activity group” that was targeting dozens of organizations in Taiwan and elsewhere.
It said the hackers had been active since mid-2021.
Wray said the Flax Typhoon botnet had caused “real harm to its victims,” offering a company in California as an example, explaining it had suffered “an all-hands-on-deck cybersecurity incident, and IT staff needed to work long hours to remediate the threats and replace hardware — all of which took swaths of the organization offline and caused a significant financial loss.”
Accompanying the announcement, the National Security Agency along with its partners in Australia, Canada, New Zealand and Britain published an advisory describing Integrity Technology Group’s tactics, techniques and procedures.