The U.S. Federal Bureau of Investigation, in collaboration with other agencies, has disrupted a botnet that consisted of more than 200,000 consumer devices worldwide.
Dubbed “Flax Typhoon,” the botnet, linked to allegedly Chinese state-sponsored hackers, infected numerous types of consumer devices, including small-office/home-office routers, internet protocol cameras, digital video recorders and network-attached storage devices. The infections had a tendency to target older devices from the likes of NetGear Inc. and Cisco Systems Inc. that were no longer receiving security updates.
The hackers, allegedly operating through Beijing-based Integrity Technology Group – would infect targeted devices with malware and then use the infected devices to disguise malicious cyber activities as routine internet traffic. Targets of the botnet included U.S. and foreign corporations, universities, government agencies, telecommunications providers and media organizations.
The takedown of the botnet involved a court-authorized operation to take control of the computer infrastructure used by those behind the botnet, followed by sending disabling commands through the infrastructure to the malware on infected devices.
During the takedown operation, there were attempts to interfere with the FBI’s remediation efforts, or more specifically, those behind the botnet launched a distributed denial-of-service attack against the operational infrastructure being used by the FBI to take the botnet down. The DDoS attack was not successful.
“The disruption of this worldwide botnet is part of the FBI’s commitment to using technical operations to help protect victims, expose publicly the scope of these criminal hacking campaigns, and to use the adversary’s tools against them to remove malicious infrastructure from the virtual battlefield,” FBI Deputy Director Paul Abbate said in a statement. “The FBI’s unique legal authorities allowed it to lead an international operation with partners that collectively disconnected this botnet from its China-based hackers at Integrity Technology Group.”
Where the story is arguably a little bit strange is that, on the one hand, the FBI and others point the finger at the Chinese government and yet, at the same time, also say that Integrity Technology Group was offering the botnet commercially to customers. While both can be true, it’s odd that an alleged state-sponsored botnet was advertising its services to all and sundry.
Governments don’t usually commercially offer their state-sponsored hacking tools and botnets as they are typically highly protected state secrets.
Further details on the operations of Integrity Technology Group tactics, techniques and procedures have also been published today in a joint cybersecurity advisory from the FBI, the NSA, U.S. Cyber Command’s Cyber National Mission Force, and partner agencies in Australia, Canada, New Zealand and the U.K.