DoJ disrupts Chinese state-sponsored botnet targeting global networks, posing threat to national security

0
DoJ disrupts Chinese state-sponsored botnet targeting global networks, posing threat to national security

The U.S. Department of Justice (DoJ) announced a court-authorized operation disrupting a global botnet employed by state-sponsored hackers from the People’s Republic of China (PRC). These adversarial attempts to thwart FBI intervention fail, as these nation-state actors, active since 2021, have targeted government agencies and education, critical manufacturing, and information technology organizations in Taiwan, and elsewhere.  A joint cybersecurity advisory was issued advising network defenders to mitigate threats posed by these adversaries attempting to use botnets for malicious cyber activity. The guidance applies to preventing IoT devices from becoming part of a botnet, as well as to defending networks from botnets already in operation.

Integrity Technology Group, a publicly traded company headquartered in Beijing developed and controlled the botnet. The company built an online application allowing its customers to log in and control specified infected victim devices, including a menu of malicious cyber commands using a tool called ‘vulnerability-arsenal.’ The online application was prominently labeled ‘KRLab,’ one of the main public brands used by Integrity Technology Group.

The agency also disclosed that in court documents unsealed in the Western District of Pennsylvania, the botnet devices were infected by PRC state-sponsored hackers working for Integrity Technology Group, a company based in Beijing, and known to the private sector as ‘Flax Typhoon.’ The FBI’s investigation has corroborated Microsoft’s conclusions, finding that Flax Typhoon has attacked multiple U.S. and foreign corporations, universities, government agencies, telecommunications providers, and media organizations.

Microsoft Threat Intelligence had in August last year described Flax Typhoon as targeting dozens of organizations in Taiwan with the likely intention of performing espionage. Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks. 

The FBI’s San Diego Field Office and Cyber Division, the U.S. Attorney’s Office for the Western District of Pennsylvania, and the National Security Cyber Section of the Justice Department’s National Security Division led the domestic disruption effort. Assistance was also provided by the Criminal Division’s Computer Crime and Intellectual Property Section. These efforts would not have been successful without the collaboration of partners, including French authorities, and Lumen Technologies’ threat intelligence group, Black Lotus Labs, which first identified and described this botnet, which it named Raptor Train, in July 2023.

“The Justice Department is zeroing in on the Chinese government-backed hacking groups that target the devices of innocent Americans and pose a serious threat to our national security,” Merrick B. Garland, Attorney General said in a media statement. “As we did earlier this year, the Justice Department has again destroyed a botnet used by PRC-backed hackers to infiltrate consumer devices here in the United States and around the world. We will continue to aggressively counter the threat that China’s state-sponsored hacking groups pose to the American people.”

“Our takedown of this state-sponsored botnet reflects the Department’s all-tools approach to disrupting cyber criminals. This network, managed by a PRC government contractor, hijacked hundreds of thousands of private routers, cameras, and other consumer devices to create a malicious system for the PRC to exploit,” said Deputy Attorney General Lisa Monaco. “Today should serve as a warning to cybercriminals preying on Americans – if you continue to come for us, we will come for you.”

“This dynamic operation demonstrates, once again, the Justice Department’s resolve in countering the threats posed by PRC state-sponsored hackers,” said Assistant Attorney General Matthew G. Olsen of the National Security Division. “For the second time this year, we have disrupted a botnet used by PRC proxies to conceal their efforts to hack into networks in the U.S. and around the world to steal information and hold our infrastructure at risk. Our message to these hackers is clear: if you build it, we will bust it.”

“The disruption of this worldwide botnet is part of the FBI’s commitment to using technical operations to help protect victims, expose publicly the scope of these criminal hacking campaigns, and use the adversary’s tools against them to remove malicious infrastructure from the virtual battlefield,” said FBI Deputy Director Paul Abbate. “The FBI’s unique legal authorities allowed it to lead an international operation with partners that collectively disconnected this botnet from its China-based hackers at Integrity Technology Group.”

“The targeted hacking of hundreds of thousands of innocent victims in the United States and around the world shows the breadth and aggressiveness of PRC state-sponsored hackers,” said U.S. Attorney Eric G. Olshan for the Western District of Pennsylvania. “This court-authorized operation disrupted a sophisticated botnet designed to steal sensitive information and launch disruptive cyber attacks. We will continue to work with our partners inside and outside government, using every tool at our disposal, to defend and maintain global cybersecurity.”

“The FBI’s investigation revealed that a publicly traded, China-based company is openly selling its customers the ability to hack into and control thousands of consumer devices worldwide. This operation sends a clear message to the PRC that the United States will not tolerate this shameless criminal conduct,” said Special Agent in Charge Stacey Moy of the FBI San Diego Field Office.

The botnet malware infected numerous types of consumer devices, including small-office/home-office (SOHO) routers, internet protocol (IP) cameras, digital video recorders (DVRs), and network-attached storage (NAS) devices. The malware connected these thousands of infected devices into a botnet, controlled by Integrity Technology Group, which was used to conduct malicious cyber activity disguised as routine internet traffic from the infected consumer devices. 

The court-authorized operation took control of the hackers’ computer infrastructure and, among other steps, sent disabling commands through that infrastructure to the malware on the infected devices. During the operation, there was an attempt to interfere with the FBI’s remediation efforts through a distributed denial-of-service (DDoS) attack targeting the operational infrastructure that the FBI was utilizing to effectuate the court’s orders. That attack was ultimately unsuccessful in preventing the FBI’s disruption of the botnet.

The joint advisory is urging organizations to take steps to prevent their networks from being used for malicious activities by botnets. To do this, they recommend disabling unused services and ports, implementing network segmentation, and monitoring for unusual network traffic. Additionally, they advise organizations to keep their software and firmware up to date, use strong passwords, and plan for device reboots to remove malware. By taking these steps, organizations can help prevent their networks from being compromised by botnets.

link

Leave a Reply

Your email address will not be published. Required fields are marked *