Share this article on:
The FBI has targeted a botnet infecting more than 260,000 devices worldwide and operated by a Chinese company targeting entities in the United States and Taiwan.
The US Department of Justice (DOJ) has announced the successful disruption of a botnet run by a Chinese firm linked to the government of the People’s Republic of China.
The DOJ reported on the disruption operations on 18 September after court documents detailing the operations were unsealed on the same day.
At the same time, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), alongside US agencies and other Five Eyes nations, released an advisory on the botnet operated by Chinese firm the Integrity Technology Group.
The botnet – which had infected more than 260,000 devices worldwide, including 2,400 in Australia – was running on infected IoT devices, SOHO networking devices, firewalls, and NAS devices.
According to Lumen’s Black Lotus Labs cyber security research team, which assisted US authorities, the botnet was connected to a distributed server network and command and control infrastructure. The researchers are not aware of any distributed denial-of-service (DDoS) attacks coming from the network, though it was well-positioned to launch such an attack.
The DOJ said, however, that an unsuccessful DDoS was launched at the FBI’s infrastructure while it was in the process of disrupting the network.
Lumen did confirm, however, that some activities on the network were targeting military, education, defence, and government entities in both Taiwan and the US.
The FBI was able to take control of the botnet’s C2 infrastructure and disable the botnet malware on infected devices using highly tested remote commands. The operation of the infected devices was not impacted, the FBI has not collected any other data from those devices.
“Our takedown of this state-sponsored botnet reflects the department’s all-tools approach to disrupting cyber criminals. This network, managed by a PRC government contractor, hijacked hundreds of thousands of private routers, cameras, and other consumer devices to create a malicious system for the PRC to exploit,” Deputy Attorney-General Lisa Monaco said in a statement.
“Today should serve as a warning to cyber criminals preying on Americans – if you continue to come for us, we will come for you.”
Australia’s national cyber security coordinator, Lieutenant General Michelle McGuinness, also commented on the takedown.
“These actors have compromised a range of internet-connected devices to create a network – or ‘botnet’ – positioned for malicious activity. This includes deploying distributed denial-of-service (DDoS) attacks and targeted network infiltration,” LTGEN McGuinness said.
“Organisations and individuals should update device firmware, replace end-of-life equipment, and implement network segmentation to mitigate risks.”
As the ACSC’s advisory notes, the botnet used the Mirai botnet malware and took advantage of hardware that was beyond end-of-life. Infected devices included hardware with known vulnerabilities from Fortinet, QNAP, Ivanti, DrayTek, and Netgear, among others.
Also on the list were Telstra’s older Smart Modem Gen 2 devices.
For a full list of indicators of compromise and impacted devices, you can read the ACSC’s advisory here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.