FBI says it recently dismantled a second major China-linked botnet

Avatar

The FBI led an operation last week to disrupt a global botnet with connections to the Chinese government, much like its action against the Volt Typhoon hacking group earlier this year, bureau Director Christopher Wray said Tuesday.

A group tracked as Flax Typhoon infected “hundreds of thousands” of devices worldwide as part of an operation to compromise organizations and exfiltrate data, Wray said in a speech at the Aspen Cyber Summit in Washington, D.C.

Flax Typhoon is associated with Integrity Technology Group, a Chinese company that has publicly acknowledged its connections to China’s government, Wray said.

Read More: Company listed on Shanghai stock exchange accused of aiding Chinese cyberattacks

Unlike Volt Typhoon, which focused on internet routers to build its botnet, Flax Typhoon infected internet of things (IoT) hardware like “cameras, video recorders and storage devices — things typically found across big and small organizations,” he said.

The FBI used a court authorization — under a procedure known as Rule 41 — to remove the malware from infected devices and take control of Flax Typhoon’s internet infrastructure, Wray said. The bureau has used that power previously against Russian and Chinese operations. 

“Now when the bad guys realized what was happening, they tried to migrate their botnets to new servers, and even conducted a DDoS attack against us,” Wray said, referring to a type of attack that floods servers with junk traffic to knock them offline.

The FBI mitigated that attack and also identified the group’s new infrastructure “in just a matter of hours,” Wray said. “At that point, as we began pivoting to their new servers, we think the bad guys finally realized it was the FBI and our partners that they were up against, and with that realization, they essentially burned down their new infrastructure and abandoned their botnet.”

Flax Typhoon cast a wide net, targeting “everyone from corporations and media organizations to universities and government agencies,” Wray said. About half of the hijacked devices were located in the U.S., he said.

“Flax Typhoon’s actions caused real harm to its victims, who had to devote precious time to clean up the mess when they discovered the malware,” Wray said. One organization in California had to initiate an all-hands response and faced a significant financial loss, Wray said. He did not specify the organization. 

Wray called the operation against Flax Typhoon “one round in a much longer fight.”

Cybersecurity researchers said previously that the group initially had shown a particular interest in cyber-espionage operations against Taiwan.

CybercrimeGovernmentChinaNewsNation-stateNews BriefsLeadership
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.

 

Total
0
Shares
Previous Post

North Korea-linked hackers target energy and aerospace companies in new espionage campaign

Next Post

Hackers Exploit Default Credentials in FOUNDATION Software to Breach Construction Firms

Related Posts

Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities

Apple has released security updates for iOS, iPadOS, macOS, visionOS, and its Safari web browser to address two zero-day flaws that have come under active exploitation in the wild. The flaws are listed below - CVE-2024-44308 - A vulnerability in JavaScriptCore that could lead to arbitrary code execution when processing malicious web content CVE-2024-44309 - A cookie management vulnerability in
Avatar
Read More