The FBI has disrupted a vast botnet being used by a Chinese threat group to target universities, government agencies, and other organizations in the US.
The Five Eyes intelligence alliance recently issued a joint advisory warning organizations to take protective action after identifying the botnet being used to deploy DDoS attacks against or compromise US organizations.
Talking at the Aspen Cyber Summit, Chris Wray, director of the FBI, said the threat campaign orchestrated by the Flax Typhoon group, had installed malware on over 200,000 consumer devices.
During his address, Wray announced the FBI and US Justice Department were able to seize the botnet’s infrastructure, with half of the hijacked devices being located in the US.
These devices include cameras, video recorders, as well as both home and office internet routers, creating a vast botnet used to steal sensitive information.
The attacks bore similarities to another botnet campaign orchestrated by the Volt Typhoon group, Wray said, which also used internet-connected devices to create a botnet that helped compromise systems and exfiltrate sensitive information.
Wray noted that unlike Volt Typhoon, however, Flax Typhoon’s botnet compromised a wider array of devices than the router-based network operated by Volt Typhoon.
Wray stated the Flax Typhoon group has been masquerading as an information security company, but has long been known to be operating with close ties to the Chinese government.
“[T]hey represent themselves as an information security company—the Integrity Technology Group. But their chairman has publicly admitted that for years his company has collected intelligence and performed reconnaissance for Chinese government security agencies.”
The FBI and Justice Department obtained a warrant to seize the botnet’s infrastructure but did not cite any of the specific targets by name, only stating they included universities, government agencies, telecommunications providers, media firms, as well as non governmental organizations.
Wray warned that although this operation was a success, the wider ecosystem of state-affiliated cyber attacks coming out of China was still alive and well.
“This was another successful disruption, but make no mistake — it’s just one round in a much longer fight. The Chinese government is going to continue to target your organizations and our critical infrastructure, either by their own hand or concealed through their proxies, and we’ll continue to work with our partners to identify their malicious activity, disrupt their hacking campaigns, and bring them to light,” he said.
Flax Typhoon turns its sights on US organizations after a previous focus on Taiwan
According to threat intelligence published by Microsoft in 2023, Flax Typhoon has been active since approximately 2021, with other reports speculating this group’s activity to have begun as early as 2020.
The groups’ early activity consisted of attacks predominantly targeting government agencies, education, critical manufacturing, and IT organizations in Taiwan, Microsoft noted.
Although originally targeting organizations based in Taiwan, some victims are also known to have resided in Southeast Asia, Africa, as well as North America.
At the time of Microsoft’s report, the group was described as primarily relying on living off-the-land techniques, and hands-on-keyboard activity, where the attackers manually execute malicious activities, rather than using scripted commands via tools such as PowerShell.
The group is said to focus on establishing persistence, lateral movement, and credential access, which implies an objective to perform espionage, but Microsoft added it had not observed this in the wild at the time.
“While the actor’s observed behavior suggests Flax Typhoon intends to perform espionage and maintain their network footholds, Microsoft has not observed Flax Typhoon act on final objectives in this campaign.”
The joint advisory issued by the US Justice Department, NCSC, and other international crime agencies, advised organizations to disable unused services and ports, implement network segmentation, monitor for high network traffic volume, apply security patches, replace default passwords, and plan for device reboots to protect themselves against potential compromise.
