China-backed spies are said to have tore down their own 260,000-device botnet after the FBI and its international pals went after them.
The botnet was controlled by the somewhat misnamed Integrity Technology Group, a Chinese business whose chairman has admitted that for years his company has "collected intelligence and performed reconnaissance for Chinese government security agencies," FBI Director Christopher Wray said at the Aspen Digital computer security conference on Wednesday. The internet-connected bots consisted of PCs, servers, and Internet-of-Things gadgets infected with remote-control malware, and more than half of which were in the US.
A Beijing-run crew called Flax Typhoon had been building the Mirai-based botnet since 2021 and was accused of spying on Taiwanese networks by Microsoft in 2023, although that claim is disputed.
Wray said Flax was lately taking aim at US critical infrastructure, government, and academics. The FBI's Cyber National Mission Force (CNMF) was called in, along with the NSA.
It was "all hands on deck," Wray recounted, and his agents took control over the botnet's command and control servers - after getting court authorization to do so. The Chinese team launched a DDoS strike against the Americans to disrupt them, and then tried to switch to backup control systems for the botnet, but were thwarted again. Then China gave up.
"We think the bad guys finally realized it was the FBI and our partners that they were up against, and with that realization, they essentially burned down their new infrastructure and abandoned their botnet," said Wray.
According to an advisory [PDF] issued to coincide with Wray's speech, the Flax Typhoon crew had an SQL database containing details of 1.2 million records on compromised and hijacked devices that they had either previously used or were currently using for the botnet.
Additionally, the botnet used customized Mirai malware to exploit known vulnerabilities in internet-connected devices to commandeer them, installing a payload that communicated with command-and-control servers via TLS on port 443. Investigators found over 80 subdomains on w8510.com linked to the command-and-control servers as of this month, per the advisory.
FBI promises big cash savings on ransomware
Wray also lauded the efforts of his agency to defeat ransomware gangs where possible, and help negotiate settlements for victims if all else fails.
The FBI has developed and shared decryption keys for unscrambling files on infected machines after reverse-engineering various ransomware binaries over the past two years, and has helped nearly 1,000 organizations around the world recover their data, saving them over $800 million, he said - not to mention some of the time spent clearing up after an attack.
He cited the case of the Los Angeles Unified School District (LAUSD) ransomware infection, where America's second largest school system was hit over the Labor Day weekend in 2022. The FBI had a team there within an hour, Wray said, and had "priority systems" back online before the long weekend was over.
Then Wray made a surprising admission - the FBI will help negotiate with criminals when victims choose to pay up. We assume that will happen if an extorted organization is in a particularly sensitive bind.
- Chinese spies spent months inside aerospace engineering firm's network via legacy IT
- Despite Russia warnings, Western critical infrastructure remains unprepared
- Crypto scams rake in $5.6B a year for cyberscum lowlifes, FBI says
- Planned Parenthood confirms cyber-attack as RansomHub threatens to leak data
He cited a case last summer where an unnamed US cancer treatment center was crippled by ransomware, leaving patients stuck without the urgent care they needed to survive.
"It's hard to think of a case where the criminals were more callous or when getting back online fast mattered more," Wray said. The center called in the FBI team immediately and they set to work, trying to decrypt the health facility's scrambled infected servers.
"In addition to technical experts we also deployed crisis negotiators. We were helping the center negotiate the ransom payment, getting it from $450,000 down to $50,000," he recounted.
"Using the decryption key the hackers then provided, the center was able to resume operations days after the attack. In that instance, it was not only time saving to work with the bureau but, according to the cancer center, it was also lifesaving."
The admission that the FBI is facilitating payments is somewhat of a shift in the agency's stance. It used to be very hard line about not paying off cyber-extortionists, although in 2019, it did adjust its position slightly in acknowledging that payment was an option for some businesses. FBI agents being directly involved in negotiating with malware slingers seems a new step.
The White House meanwhile is trying to negotiate an international treaty to ban government bodies from paying cyber-ransoms, hosting a Counter Ransomware Initiative (CRI) summit last year to persuade other countries to sign up. ®