FBI says it recently dismantled a second major China-linked botnet
The FBI led an operation last week to disrupt a global botnet with connections to the Chinese government, much like its action against the Volt Typhoon hacking group earlier this year, bureau Director Christopher Wray said Tuesday.
A group tracked as Flax Typhoon infected “hundreds of thousands” of devices worldwide as part of an operation to compromise organizations and exfiltrate data, Wray said in a speech at the Aspen Cyber Summit in Washington, D.C.
Flax Typhoon is associated with Integrity Technology Group, a Chinese company that has publicly acknowledged its connections to China’s government, Wray said.
Read More: Company listed on Shanghai stock exchange accused of aiding Chinese cyberattacks
Unlike Volt Typhoon, which focused on internet routers to build its botnet, Flax Typhoon infected internet of things (IoT) hardware like “cameras, video recorders and storage devices — things typically found across big and small organizations,” he said.
The FBI used a court authorization — under a procedure known as Rule 41 — to remove the malware from infected devices and take control of Flax Typhoon’s internet infrastructure, Wray said. The bureau has used that power previously against Russian and Chinese operations.
“Now when the bad guys realized what was happening, they tried to migrate their botnets to new servers, and even conducted a DDoS attack against us,” Wray said, referring to a type of attack that floods servers with junk traffic to knock them offline.
The FBI mitigated that attack and also identified the group’s new infrastructure “in just a matter of hours,” Wray said. “At that point, as we began pivoting to their new servers, we think the bad guys finally realized it was the FBI and our partners that they were up against, and with that realization, they essentially burned down their new infrastructure and abandoned their botnet.”
Flax Typhoon cast a wide net, targeting “everyone from corporations and media organizations to universities and government agencies,” Wray said. About half of the hijacked devices were located in the U.S., he said.
“Flax Typhoon’s actions caused real harm to its victims, who had to devote precious time to clean up the mess when they discovered the malware,” Wray said. One organization in California had to initiate an all-hands response and faced a significant financial loss, Wray said. He did not specify the organization.
Wray called the operation against Flax Typhoon “one round in a much longer fight.”
Cybersecurity researchers said previously that the group initially had shown a particular interest in cyber-espionage operations against Taiwan.
Joe Warminsky
is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.