FBI warns about China-controlled botnet affecting thousands of Americans


The FBI has warned that cyber actors linked to China have compromised over 260,000 internet-connected devices, mostly routers, to create a massive botnet. It’s used for malicious activities, such as distributed denial of service attacks, or as a proxy to conceal identities.

According to the FBI advisory, the botnet has been active since mid-2021 and is controlled and managed by Integrity Technology Group, a China-based company.

The botnet is most active in the US, where it has compromised 126,000 devices as of June 2024, followed by Vietnam (21,100), and Germany (18,900).

ADVERTISEMENT

The threat actor's prime targets are small office/home office (SOHO) routers, firewalls, network-attached storage (NAS), and internet of things (IoT) devices, such as webcams, IP cameras, or DVRs. Many of them reached their end of life. However, a big part of the botnet consists of devices still supported by their respective vendors.

“This botnet infrastructure is comprised of a network of devices, known as “bots,” which are infected with a type of malware that provides threat actors with unauthorized remote access,” the advisory reads.

The FBI warns that the same IP addresses from China Unicom Beijing Province Network, which manages the botnet, were also used in computer intrusion activities against US victims. The activity is associated with the threat group known publicly as Flax Typhoon, RedJuliett, and Ethereal Panda.

Reuters reports that the FBI has disrupted the threat actor by wresting thousands of compromised devices from its grasp. The operation is similar to the one carried out against Volt Typhoon earlier this year.

In a statement to Reuters, the Chinese Embassy in Washington accused US authorities of having “jumped to an unwarranted conclusion and made groundless accusations against China,” claiming that Beijing cracks down on “all forms of cyberattacks.”

The threat actor uses the Mirai malware family to hijack devices. Its source code was posted publicly in 2016, and since then, Mirai botnets have been used for various malicious purposes.

“To recruit a new “bot,” the botnet system first compromises an internet-connected device using one of a variety of known vulnerability exploits. Post-compromise, the victim device executes a Mirai-based malware payload from a remote server,” the FBI explains.

Over 80 subdomains of “w8510.com” were linked to the botnet’s C2 servers, as well as many other domains. Researchers also discovered databases on botnet’s command and control servers, which stored over 1.2 million records of compromised devices, of which 385,000 unique devices belong to victims in the US.

ADVERTISEMENT

The threat actor is actively expanding the botnet, with at least 50 different Linux operating system versions found among botnet nodes.

The FBI urges device owners and network defenders to implement measures preventing IoT devices from becoming part of a botnet.

Recommended mitigations include disabling unused services and ports, implementing network segmentation, monitoring for high network traffic volume, timely applying patches and updates, replacing default passwords with strong ones, rebooting devices periodically, and replacing end-of-life equipment.