FBI says it recently dismantled a second major China-linked botnet

Avatar

The FBI led an operation last week to disrupt a global botnet with connections to the Chinese government, much like its action against the Volt Typhoon hacking group earlier this year, bureau Director Christopher Wray said Tuesday.

A group tracked as Flax Typhoon infected “hundreds of thousands” of devices worldwide as part of an operation to compromise organizations and exfiltrate data, Wray said in a speech at the Aspen Cyber Summit in Washington, D.C.

Flax Typhoon is associated with Integrity Technology Group, a Chinese company that has publicly acknowledged its connections to China’s government, Wray said.

Read More: Company listed on Shanghai stock exchange accused of aiding Chinese cyberattacks

Unlike Volt Typhoon, which focused on internet routers to build its botnet, Flax Typhoon infected internet of things (IoT) hardware like “cameras, video recorders and storage devices — things typically found across big and small organizations,” he said.

The FBI used a court authorization — under a procedure known as Rule 41 — to remove the malware from infected devices and take control of Flax Typhoon’s internet infrastructure, Wray said. The bureau has used that power previously against Russian and Chinese operations. 

“Now when the bad guys realized what was happening, they tried to migrate their botnets to new servers, and even conducted a DDoS attack against us,” Wray said, referring to a type of attack that floods servers with junk traffic to knock them offline.

The FBI mitigated that attack and also identified the group’s new infrastructure “in just a matter of hours,” Wray said. “At that point, as we began pivoting to their new servers, we think the bad guys finally realized it was the FBI and our partners that they were up against, and with that realization, they essentially burned down their new infrastructure and abandoned their botnet.”

Flax Typhoon cast a wide net, targeting “everyone from corporations and media organizations to universities and government agencies,” Wray said. About half of the hijacked devices were located in the U.S., he said.

“Flax Typhoon’s actions caused real harm to its victims, who had to devote precious time to clean up the mess when they discovered the malware,” Wray said. One organization in California had to initiate an all-hands response and faced a significant financial loss, Wray said. He did not specify the organization. 

Wray called the operation against Flax Typhoon “one round in a much longer fight.”

Cybersecurity researchers said previously that the group initially had shown a particular interest in cyber-espionage operations against Taiwan.

CybercrimeGovernmentChinaNewsNation-stateNews BriefsLeadership
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.

 

Total
0
Shares
Previous Post

North Korea-linked hackers target energy and aerospace companies in new espionage campaign

Next Post

DOJ charges hackers for stealing $230 million in crypto from individual

Related Posts

Leveraging Credentials As Unique Identifiers: A Pragmatic Approach To NHI Inventories 

Identity-based attacks are on the rise. Attacks in which malicious actors assume the identity of an entity to easily gain access to resources and sensitive data have been increasing in number and frequency over the last few years. Some recent reports estimate that 83% of attacks involve compromised secrets. According to reports such as the Verizon DBIR, attackers are more commonly using stolen
Avatar
Read More

State-Sponsored Hackers Weaponize ClickFix Tactic in Targeted Malware Campaigns

Multiple state-sponsored hacking groups from Iran, North Korea, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware over a three-month period from late 2024 through the beginning of 2025. The phishing campaigns adopting the strategy have been attributed to clusters tracked as TA427 (aka Kimsuky), TA450 (aka MuddyWater),
Avatar
Read More

Malicious Python Packages on PyPI Downloaded 39,000+ Times, Steal Sensitive Data

Cybersecurity researchers have uncovered malicious libraries in the Python Package Index (PyPI) repository that are designed to steal sensitive information. Two of the packages, bitcoinlibdbfix and bitcoinlib-dev, masquerade as fixes for recent issues detected in a legitimate Python module called bitcoinlib, according to ReversingLabs. A third package discovered by Socket, disgrasya, contained a
Avatar
Read More