FBI joint operation takes down massive Chinese botnet, Wray says
The FBI conducted a joint operation last week to take down a massive Chinese state-sponsored botnet that the attackers used to compromise hundreds of thousands of devices, target U.S. and overseas critical infrastructure and steal data, Director Chris Wray said Wednesday.
The group behind the botnet, Flax Typhoon, hijacked routers and Internet of Things devices like cameras, video recorders and storage devices, Wray said at the Aspen Cyber Summit — a step beyond the much-hyped operations of fellow Chinese hackers Volt Typhoon that had focused on routers. The targets included corporations, media organizations, universities and government agencies.
“Flax Typhoon’s actions caused real harm to its victims,” he said. “Working in collaboration with our partners, we executed court-authorized operations to take control of the botnet’s infrastructure.
“And when the bad guys realized what was happening, they tried to migrate their bots to new servers, and even conducted a DDoS attack against us,” Wray continued, referring to distributed denial of service attacks. “Working with our partners, we were able to not only mitigate their attack, but also identify their new infrastructure in just a matter of hours. At that point, as we began pivoting to their new servers, these guys finally realized it was the FBI and our partners that we were up against, and with that realization, they essentially burned down their new infrastructure and abandoned their” salvation efforts.
The FBI joint operation was able to identify thousands of infected devices, he said, thus allowing it to remove malware from them, “prying them from China’s grip,” he said.
The people behind the attack, according to Wray, “represent themselves as an information security company, the Integrity Technology Group, but their chairman has publicly admitted that for years his company has collected intelligence and performed reconnaissance for Chinese government security agencies.”
Despite the success, Wray said “it is just round one of a much longer fight.”
Anne Neuberger, deputy national security adviser for cyber and emerging technologies, said during a White House call with reporters Wednesday that increasing the costs of Chinese cyber operations is an integral portion of the U.S. strategy to counter Chinese digital infiltration. This take down is “making it riskier, costly and harder for the Chinese to operate,” she said.
The Biden administration is also working to boost the digital defenses of crown jewels — like government or critical infrastructure networks — and build capabilities to “deter nation state adversaries from using” offensive tools, Neuberger added.
In a report released hours after Wray’s comments, researchers with Black Lotus Labs detailed a series of campaigns carried out by the botnet — which they call Raptor Train — over the past four years, including those that targeted military, government, telecommunications and defense industry entities in the U.S. and Taiwan.
Researchers at Black Lotus Labs, the threat research and operations arm of the U.S. telecommunications firm Lumen, said the full scope remains unclear, but some targets have been detected, including a “large scanning effort” in late December 2023 targeting U.S. military (including assets located in Japan), U.S. government, IT providers and unnamed defense industry organizations.
Further activity included widespread, global targeting that included a government agency in Kazakhstan, and more targeted scanning and likely exploitation attempts against vulnerable software, including Atlassian Confluence servers and Ivanti Connect Secure appliances, the researchers said.
The entire operation is managed through an application called “Sparrow” that enables scalable exploitation of bot, vulnerability and exploit management, remote management of command and control infrastructure, file uploads and downloads, remote command execution and the ability to tailor distributed denial of service attacks at scale, the researchers said.
“While Black Lotus Labs has yet to see any DDoS attacks originating from Raptor Train, we suspect this is an ability the China-based operators preserve for future use,” the researchers noted.
The team outlined its findings in a blog post and a longer technical analysis unpacking the botnet’s architecture, four overlapping campaigns, malware delivered through the botnet, and attribution and operational use.
Also Wednesday, the National Security Agency — in a joint advisory produced by other U.S. and allied security agencies — said the botnet consisted of over 260,000 devices as of June, with victims in North America, South America, Europe, Africa, Southeast Asia and Australia.
“While devices aged beyond their end-of-life dates are known to be more vulnerable to intrusion, many of the compromised devices in the Integrity Tech controlled botnet are likely still supported by their respective vendors,” reads the advisory, produced alongside the FBI and Cyber National Mission Force, as well as agencies in Australia, Canada, New Zealand and the United Kingdom.
The advisory states that Integrity Technology Group controlled the botnet with China Unicom Beijing Province Network internet protocol addresses, and used those addresses to access “other operational infrastructure employed in computer intrusion activities against U.S. victims.”
The botnet relied on the Mirai family of malware, according to the advisory. The United States accounted for 126,000 of botnet devices, with the next highest number in Vietnam at 21,100.
An Aug. 24, 2023 blog post by Microsoft Threat Intelligence noted that although Microsoft did not have full visibility into Flax Typhoon’s activity, the group’s minimal use of malware and deft ability to rely on tools already built into target operating systems, along with benign software, helps reduce detection.
That approach, also known as “living off the land,” has been a key facet of what U.S. officials have termed aggressive and intense Chinese-sponsored cyber activity in recent years. Alongside more typical espionage and intellectual property theft activities, officials say similar Chinese operations have increasingly burrowed into sensitive U.S. critical infrastructure networks with little to no traditional military value.
Instead, U.S. officials allege, this variety of Chinese activity is more likely preparatory prepositioning to disrupt key U.S., Taiwanese and other targets — civilian and government — in the event of a military confrontation. Top U.S. intelligence and cybersecurity officials have warned since early 2023 of the activity, tracked under Volt Typhoon.
During the White House call, a senior administration official noted that Flax Typhoon is a private-sector entity working on behalf of Beijing, while Volt Typhoon can be thought of as government actors.
U.S. Deputy Attorney General Lisa Monaco used similar rhetoric, noting that the Justice Department is pivoting to prioritizing disruption alongside the agency’s traditional prosecution.
“The theme is disruption, prevention, putting victims at the center of our strategy, and that’s what we’ve done again today.” Monaco said during a panel at the Aspen Cyber Summit on Wednesday.
Key to Volt Typhoon activity has been its targeting of privately owned small office/home office (SOHO) routers that are either at the end of life and not regularly updated or are difficult for owners to monitor and update. In January, the DOJ and the FBI disrupted the KV Botnet, which was used as part of Volt Typhoon activity and abused similar kinds of devices.
The Chinese government has consistently denied U.S. characterizations of its cyber activity, including Volt Typhoon, alleging instead that it is a U.S. disinformation campaign designed to frame China.
This story was updated Sept. 18, 2024 with details from the Black Lotus Labs report, the NSA joint advisory, and comments from Anne Neuberger, Lisa Monaco and a Biden official.