FBI says it recently dismantled a second major China-linked botnet

Avatar

The FBI led an operation last week to disrupt a global botnet with connections to the Chinese government, much like its action against the Volt Typhoon hacking group earlier this year, bureau Director Christopher Wray said Tuesday.

A group tracked as Flax Typhoon infected “hundreds of thousands” of devices worldwide as part of an operation to compromise organizations and exfiltrate data, Wray said in a speech at the Aspen Cyber Summit in Washington, D.C.

Flax Typhoon is associated with Integrity Technology Group, a Chinese company that has publicly acknowledged its connections to China’s government, Wray said.

Read More: Company listed on Shanghai stock exchange accused of aiding Chinese cyberattacks

Unlike Volt Typhoon, which focused on internet routers to build its botnet, Flax Typhoon infected internet of things (IoT) hardware like “cameras, video recorders and storage devices — things typically found across big and small organizations,” he said.

The FBI used a court authorization — under a procedure known as Rule 41 — to remove the malware from infected devices and take control of Flax Typhoon’s internet infrastructure, Wray said. The bureau has used that power previously against Russian and Chinese operations. 

“Now when the bad guys realized what was happening, they tried to migrate their botnets to new servers, and even conducted a DDoS attack against us,” Wray said, referring to a type of attack that floods servers with junk traffic to knock them offline.

The FBI mitigated that attack and also identified the group’s new infrastructure “in just a matter of hours,” Wray said. “At that point, as we began pivoting to their new servers, we think the bad guys finally realized it was the FBI and our partners that they were up against, and with that realization, they essentially burned down their new infrastructure and abandoned their botnet.”

Flax Typhoon cast a wide net, targeting “everyone from corporations and media organizations to universities and government agencies,” Wray said. About half of the hijacked devices were located in the U.S., he said.

“Flax Typhoon’s actions caused real harm to its victims, who had to devote precious time to clean up the mess when they discovered the malware,” Wray said. One organization in California had to initiate an all-hands response and faced a significant financial loss, Wray said. He did not specify the organization. 

Wray called the operation against Flax Typhoon “one round in a much longer fight.”

Cybersecurity researchers said previously that the group initially had shown a particular interest in cyber-espionage operations against Taiwan.

CybercrimeGovernmentChinaNewsNation-stateNews BriefsLeadership
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.

 

Total
0
Shares
Previous Post

North Korea-linked hackers target energy and aerospace companies in new espionage campaign

Next Post

Hackers Exploit Default Credentials in FOUNDATION Software to Breach Construction Firms

Related Posts

FIDO Alliance Drafts New Protocol to Simplify Passkey Transfers Across Different Platforms

The FIDO Alliance said it's working to make passkeys and other credentials more easier to export across different providers and improve credential provider interoperability, as more than 12 billion online accounts become accessible with the passwordless sign-in method. To that end, the alliance said it has published a draft for a new set of specifications for secure credential exchange,
Avatar
Read More

New Brazilian-Linked SambaSpy Malware Targets Italian Users via Phishing Emails

A previously undocumented malware called SambaSpy is exclusively targeting users in Italy via a phishing campaign orchestrated by a suspected Brazilian Portuguese-speaking threat actor. "Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country," Kaspersky said in a new analysis. "It's likely that the attackers are testing the
Avatar
Read More

RansomHub Ransomware Group Targets 210 Victims Across Critical Sectors

Threat actors linked to the RansomHub ransomware group encrypted and exfiltrated data from at least 210 victims since its inception in February 2024, the U.S. government said. The victims span various sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services,
Avatar
Read More