NCSC unmasks Chinese company running massive botnet
Linked to state-backed actor Flax Typhoon
The UK's National Cyber Security Centre (NCSC) and its allies in the Five Eyes intelligence alliance have exposed a China-based firm operating a massive botnet network, suspected to be acting on behalf of the Chinese government.
A joint advisory by the agencies accuses the company, Integrity Technology Group, of controlling over 260,000 compromised devices, with around 8,500 located in the UK.
The advisory says the botnet – primarily composed of network and security devices like routers and firewalls, as well as everyday items like CCTV cameras and webcams – is being used to launch coordinated attacks, including DDoS and malware delivery.
As is common with botnets, the devices' owners are thought to be unaware of their involvement.
Integrity Technology Group is based in Beijing and operates under the guise of a legitimate network security provider. However, the Five Eyes agencies say its expertise is being used to serve the Chinese government.
Integrity's use of IP addresses registered to China Unicom's Beijing Province operations was key in tracking its activities back to the company. Further investigation revealed connections between Integrity's infrastructure and cyberattacks targeting victims in the United States.
Specifically, the activity is linked to a state-backed advanced persistent threat (APT) actor known as Flax Typhoon (also known as RedJuliett and Ethereal Panda).
Flax Typhoon has a history of sophisticated cyberattacks. In this case, the botnet leverages the Mirai malware family, targeting devices with known vulnerabilities in Linux-based operating systems.
Once infected, Mirai establishes a secure connection with Integrity's control centre and gathers information about the device, including operating system version, memory details and bandwidth.
This information allows for further exploitation and targeting.
The investigation also revealed that some Mirai payloads are programmed to self-destruct, making detection more difficult.
The NCSC and allies have urged individuals and organisations to take immediate action. This includes patching vulnerabilities, using strong passwords and staying vigilant about suspicious network activity.
"Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber attacks," said Paul Chichester, NCSC Director of Operations.
"Whilst the majority of botnets are used to conduct co-ordinated DDoS attacks, we know that some also have the ability to steal sensitive information. That's why the NCSC, along with our partners in Five Eyes countries, is strongly encouraging organisations and individuals to act on the guidance set out in this advisory – which includes applying updates to internet-connected devices – to help prevent their devices from joining a botnet."
Earlier this year, the FBI announced it had blocked an attempted large scale hack by China's Volt Typhoon group. The agency said attackers installed VPNs to poorly secured routers and used them to control the KV Botnet malware.
The FBI infiltrated the attack and gathered important data before remotely removing the botnet.
In May, law enforcement agencies in the US and Europe took down cybercrime networks that used botnets to steal data, send spam and extort money through ransomware.
The action, dubbed "Operation Endgame," targeted malware droppers like IcedID, SystemBC, Smokeloader, Pikabot and Bumblebee, and seized control of over 2,000 websites.