A China-backed cyber crime group attempted to use distributed denial of service (DDoS) attacks to stop the disruption of a global botnet that had compromised up to 1.2 million IoT devices worldwide – including 2,400 in Australia – and used them for cyber crime since 2021.
Chinese government-linked Integrity Technology Group (Integrity Tech) used Mirai malware – whose source code has been widely available since Mirai first appeared in 2016 – to control Internet of Things (IoT) devices including small office / home office (SOHO) routers, IP cameras, digital video recorders, and network attached storage (NAS) devices.
Up to 1.2 million compromised devices were listed in a database used by the cyber criminal group – variously known as ‘Flax Typhoon’, ‘RedJuliett’, and ‘Ethereal Panda’ – to launch co-ordinated attacks on targets, the FBI, NSA and Cyber National Mission Force (CNMF) revealed in a joint advisory that said some 260,000 devices in at least 19 countries were being actively exploited as of June.
“The FBI’s investigation revealed that a publicly-traded, China-based company is openly selling its customers the ability to hack into and control thousands of consumer devices worldwide,” Stacey Moy, special agent in charge of the FBI San Diego Field Office, said in a statement attacking Integrity Tech’s “shameless criminal conduct.”
The group operated command and control (C2) servers through over 80 subdomains of w8510.com, using an application called ‘Sparrow’ to remotely program devices for distributed denial of service (DDoS), data theft, and other attacks.
“Flax Typhoon’s actions caused real harm to its victims, who had to devote precious time to clean up the mess when they discovered the malware,” FBI director Christopher Wray told this week’s 2024 Aspen Cyber Summit in some of his first public comments after the takedown.
One California organisation, he said, “suffered an all hands-on-deck cyber security incident, and IT staff needed to work long hours to remediate the threats and replace hardware – all of which took swaths of the organisation offline and caused a significant financial loss.”
In taking down the botnet, FBI cyber specialists obtained court approval to take control of the C2 servers, then disable the malware on affected devices.
The Chinese hackers even tried to stop the authorities using a DDOS attack, which the investigators were able to stop and mitigate within hours.
“At that point, as we began pivoting to their new servers, we think the bad guys finally realised that it was the FBI and our partners that they were up against,” Wray said, “and with that realisation they essentially burned down their new infrastructure and abandoned their botnet.”
Do you know where your devices are?
This latest action, which is detailed in a US court filing, follows the January takedown of a similar network operated by the ‘Volt Typhoon’ group that led ASIO director Mike Burgess to warn that Australia is being actively targeted by “aggressive and experienced” foreign intelligence services.
Recognising that such targeting is part of a new normal, authorities have exhorted device manufacturers and owners to not only use ‘secure by design’ principles such as those launched in 2020 by the Australian government, but to help users better secure their devices.
This, the Australian Signals Directorate (ASD) advised, includes disabling unused and unneeded services and ports, using network segmentation to separate IoT devices and adopting ‘least privilege’ principles to limit them to “just enough connectivity to perform their intended function”.
Users should adopt firewalls or intrusion detection systems to watch for high network traffic volumes; apply software and firmware updates when available; replace default passwords with strong passwords; update end-of-life equipment with newer devices supported by vendors; and regularly reboot devices to remove some types of malware.
Constant vigilance is crucial for individuals and companies to avoid being compromised by malicious nation-state actors, Wray noted.
“The Chinese government is going to continue to target your organisations and our critical infrastructure, either by their own hand or concealed through their proxies,” he said.
“Although I view this as another successful disruption, make no mistake: it is just one round in a much longer fight.”