FBI disrupts another Chinese state-sponsored botnet

The FBI took down another China-linked botnet that consisted of more than 260,000 connected devices and was controlled by a publicly traded technology company in Beijing.

During a keynote at the 2024 Aspen Cyber Summit in Washington, D.C., on Wednesday, FBI Director Christopher Wray revealed that a joint operation last week disrupted the botnet, which was used by a Chinese advanced persistent threat (APT) group known as Flax Typhoon. It's the second such botnet to be taken down by U.S. authorities in the last 12 months. In December, the Justice Department announced that a joint operation had disrupted the KV botnet, which consisted of hundreds of U.S.-based SOHO routers and was used by the notorious Chinese APT Volt Typhoon.

In his remarks Wednesday, Wray said Flax Typhoon's botnet consisted of more than just routers and included thousands of IoT devices, such as web cameras and video recorders, as well as firewalls and NAS devices. Approximately half of the compromised devices were in the U.S., he said.

Like Volt Typhoon, the Flax Typhoon APT used the botnet to disguise their malicious operations, which included compromising targeted organizations and exfiltrating sensitive data. The court-ordered operation took control of the botnet infrastructure and issued commands to remove Flax Typhoon's malware from the infected devices.

"When the bad guys realized what was happening, they tried to migrate their bots to new servers and even conducted a DDOS attack against us. Working with our partners, we were able to not only mitigate their attack but also identify their new infrastructure in just a matter of hours," Wray said during his keynote. "At that point, as we began pivoting to their new servers, we think the bad guys finally realized that it was the FBI and our partners that they were up against. And with that realization, they essentially burned down their new infrastructure and abandoned their botnet."

Additionally, Wray revealed that Flax Typhoon operates as a publicly traded Chinese company named Integrity Technology Group, also known as Yongxin Zhicheng Technology Group. Based in Beijing, Integrity Tech is a network security vendor founded in 2010.

Wray said Integrity Tech chairman Jun Chen "has publicly admitted that for years, his company has collected intelligence and performed reconnaissance for Chinese government security agencies."

According to an affidavit released by the Justice Department, the FBI traced the threat campaign, which used a variant of the notorious Mirai botnet malware, to Integrity Tech's network. The DOJ said the company developed an application, dubbed Sparrow, to manage the botnet's infrastructure and allow users to control individual bots, issue remote commands and conduct cyberattacks through a tool called "vulnerability-arsenal."

The affidavit stated that Sparrow source code was stored in an online repository and kept in a folder named KRLab, which authorities said is one of Integrity Tech's public brands. In addition to developing the botnet, which was named Raptor Train by researchers at Lumen Technologies' Black Lotus Labs, Integrity Tech was also responsible for cyberattacks and intrusions against various victim organizations, the FBI said.

In a blog post on Wednesday, Black Lotus Labs said it observed Raptor Train-connected attacks against U.S. and Taiwanese military and government agencies as well as IT, higher education, telecommunications and defense contractor organizations. Along with facilitating intrusions of targeted organizations, Black Lotus Labs identified additional functionality. "A major concern of the Raptor Train botnet is the DDoS capability that we have not yet observed actively deployed, but we suspect is being maintained for future use," the researchers wrote in the blog.

According to a joint cybersecurity advisory published Wednesday, investigators discovered at least 50 different Linux OS versions in the botnet nodes. The authoring agencies, which includes the FBI, National Security Agency and the Cyber National Mission Force, identified approximately 70 known vulnerabilities that Integrity Tech exploited to infect devices and gain new botnet victims.

Those known vulnerabilities include CVE-2024-21762, a Fortinet zero-day vulnerability that affects FortiOS and was disclosed in February; CVE-2023-38035, a zero-day vulnerability in Ivanti Sentry that was disclosed in August 2023; and CVE-2023-22527, a critical remote code execution vulnerability in Atlassian's Confluence Data Center and Confluence Server software that came under exploitation soon after it was disclosed in January 2023.

Black Lotus Labs said it observed scanning and likely exploitation attempts against CVE-2024-21887 on Ivanti Connect Secure appliances. CVE-2024-21887 is one of two zero-day vulnerabilities in Ivanti Connect Secure that were exploited by Chinese nation-state actors to breach several victim organizations, including CISA.

The joint advisory recommended that organizations patch the known vulnerabilities used by Flax Typhoon, disable unused internet services and ports, implement network segmentation, and monitor for unusually high network traffic.

Rob Wright is a longtime reporter and senior news director for TechTarget Editorial's security team. He drives breaking infosec news and trends coverage. Have a tip? Email him.