Dive Brief:
- The FBI disrupted a massive state-linked botnet that compromised more than 260,000 devices worldwide in order to hack critical infrastructure providers in the U.S. and other countries, FBI Director Christopher Wray announced in a speech Wednesday during the Aspen Cyber Summit.
- The botnet was linked to a threat group known as Flax Typhoon, which has targeted critical manufacturing, IT, telecom, government and other organizations in Taiwan, the U.S. and other countries since 2021.
- The botnet compromised thousands of small office/home office routers, digital video cameras, internet-protocol cameras and network-attached storage devices. Almost half of the compromised devices were located in the U.S., according to an advisory from the FBI, Cyber National Mission Force and National Security Agency.
Dive Insight:
The botnet highlights an ongoing threat to U.S. critical infrastructure by exploiting weaknesses in commonly used IoT devices. The campaign used a Mirai malware variant to exploit these devices and target various critical infrastructure providers with DDoS attacks, data theft and other malicious activity.
Researchers from Black Lotus Labs, a threat intelligence arm of Lumen Technologies, released a report Wednesday outlining much of the Flax Typhoon operations.
The Black Lotus Labs report said the botnet, which it calls Raptor Train, was developed to enable large-scale DDoS attacks and has evidence of possible exploitation attempts involving Ivanti Connect Secure appliances and Atlassian Confluence servers.
Federal authorities said the Flax Typhoon hackers operated through Integrity Technology Group, a publicly-traded firm based in Beijing. The firm gave customers the ability to access an online application and login and control targeted devices.
“Now I view this as another successful disruption, but make no mistake, it is just one round in a much longer fight,” Wray said about the operation. “The Chinese government is going to continue to target your organizations and our critical infrastructure, either by their own hand or concealed through their proxies.”
FBI officials outlined details of the takedown operation in an affidavit, noting that a California-based firm reported threat activity that traced back to IP addresses associated with Flax Typhoon. The hackers attempted to counter the FBI operation with a DDoS attack, but were unsuccessful.
Federal authorities urged users to disable unused ports and services, employ more complex passwords, apply patches and security upgrades and replace equipment that has reached end of life status.
The disruption of the Flax Typhoon botnet follows another major operation by the FBI in January, when the agency led the takedown of a botnet linked to Volt Typhoon.
Volt Typhoon is a state-linked threat group working to attack U.S. critical infrastructure in order to sow fear and panic in connection with a potential military action in the Asia-Pacific region, U.S. authorities warned during a congressional hearing in February.
Wray said the FBI will continue to work with its partners to identify such malicious activity and bring the actions out in the open.
Researchers at Microsoft in August 2023 observed Flax Typhoon targeting organizations in Taiwan and installing China Chopper malware. Microsoft researchers originally warned about malicious activities linked to Volt Typhoon in May 2023.