Chinese hacking compromised hundreds of thousands of devices containing personal PII
The US Department of Justice (DOJ) announced Wednesday that the Federal Bureau of Investigation (FBI) sought and obtained a court-authorized operation to disrupt a botnet that was deployed around the world by Chinese state-sponsored hackers to compromise “numerous types of consumer devices, including small-office/home-office routers, internet protocol cameras, digital video recorders, and network-attached storage (NAS) devices.”
The FBI said more than “1.2 million devices worldwide … had at one time been infected with” a variant of the Mirai malware, “including over 385,000 unique U.S.-based victim devices.”
As of June 5, the FBI said, “data indicated that … approximately 260,000 devices, including approximately 126,000 U.S.-based devices, were actively infected.”
The devices “undoubtedly were used” by the Chinese government to attempt to obtain not only the personally identifiable information (PII) of anyone using these devices, but also financial, legal, and business information, the latter of which could include confidential and proprietary information, according to counterintelligence officials Biometric Update spoke to.
Indeed. U.S. Attorney Eric Olshan for the Western District of Pennsylvania said the “court-authorized operation disrupted a sophisticated botnet designed to steal sensitive information and launch disruptive cyberattacks.”
“The FBI’s investigation revealed that a publicly traded, China-based company is openly selling its customers the ability to hack into and control thousands of consumer devices worldwide,” added Special Agent in Charge, Stacey Moy of the FBI San Diego Field Office.
Counterintelligence officials expressed concerns about what sensitive personal and other data was able to be obtained or otherwise compromised before the FBI managed to shut down the operation.
The Mirai malware is a type of malware that can infect internet-connected devices without their user’s consent. In May, the FBI said it “analyzed samples of a particular variant of Mirai malware that had been uploaded to an online service that collects suspicious files to analyze and detect malware and other malicious files. This variant was used to infect … devices such as SOHO routers, IP cameras, DVRs, and NAS devices, and was embedded with encoded domain names that resolved to C2 servers. This variant was designed to run on x86, MIPS, ARM, PPC, and SH4 processor architectures.”
Simultaneous with DOJ’s announcement of its operation, a Joint Cybersecurity Advisory describing the hacker’s tactics, techniques, and procedures was issued by the FBI, National Security Agency, U.S. Cyber Command’s Cyber National Mission Force, and partner agencies in Canada, Australia, New Zealand, and the United Kingdom.
The botnet devices were infected and controlled by Chinese state-sponsored hackers working for Integrity Technology Group, a company based in Beijing known as “Flax Typhoon.”
The FBI said in its affidavit in support of the search and seizure warrant it obtained from the court that the malware “connected … infected devices into a botnet, controlled by Integrity Technology Group, which was used to conduct malicious cyber activity disguised as routine internet traffic from the infected consumer devices. The court-authorized operation took control of the hackers’ computer infrastructure and, among other steps, sent disabling commands through that infrastructure to the malware on the infected devices.”
The warrant was granted on September 9 but remained sealed until Wednesday because the FBI said “the facts justif[ied] a delay of up to 30 days because it may take multiple weeks to remediate the malware. Premature disclosure to the public at large or to individual subscribers could give the Flax Typhoon hackers the opportunity to make changes to the malware, enabling continued or additional damage to victims’ devices.”
According to court documents, the botnet was developed and controlled by Integrity Technology Group. The FBI said, “the company built an online application allowing its customers to log in and control specified infected victim devices, including with a menu of malicious cyber commands using a tool called ‘vulnerability-arsenal.’ The online application was prominently labelled ‘KRLab,’ one of the main public brands used by Integrity Technology Group.”
The FBI said it had assessed that Integrity Technology Group, in addition to developing and controlling the botnet, was directly responsible for computer intrusion activities attributed to China-based hackers as “Flax Typhoon.” Microsoft Threat Intelligence described Flax Typhoon as nation-state actors based out of China, active since 2021, who have targeted government agencies and education, critical manufacturing, and information technology organizations in Taiwan, and elsewhere. The FBI said its investigation corroborated Microsoft’s conclusions and determined that Flax Typhoon “successfully attacked multiple US and foreign corporations, universities, government agencies, telecommunications providers, and media organizations.”
Integrity Technology Group Inc, formerly Beijing Integrity Technology Co Ltd, is a China-based company principally engaged in the research and development, production and sales of network security products, as well as network security services. Its products and services mainly consist of network shooting range products, security control and honeypot products, security tool products, security protection series services, and network security competition services. Its security tool products are used by governments, individuals, enterprises, and institutions.
“The Justice Department is zeroing in on the Chinese government-backed hacking groups that target the devices of innocent Americans and pose a serious threat to our national security,” said Attorney General Merrick Garland. “As we did earlier this year, the Justice Department has again destroyed a botnet used by People’s Republic of China (PRC) backed hackers to infiltrate consumer devices here in the United States and around the world. We will continue to aggressively counter the threat that China’s state-sponsored hacking groups pose to the American people.”
Deputy Attorney General Lisa Monaco added that “our takedown of this state-sponsored botnet reflects the department’s all-tools approach to disrupting cyber criminals. This network, managed by a PRC government contractor, hijacked hundreds of thousands of private routers, cameras, and other consumer devices to create a malicious system for the PRC to exploit.”
The FBI said that ‘during the course of [its] operation, there was an attempt to interfere with the FBI’s remediation efforts through a distributed denial-of-service attack targeting the operational infrastructure that the FBI was utilizing to effectuate the court’s orders,” adding that the “attack was ultimately unsuccessful in preventing the FBI’s disruption of the botnet.”
DOJ stressed that its malware disabling commands, “which interacted with the malware’s native functionality, were extensively tested prior to the operation. As expected, the operation did not affect the legitimate functions of, or collect content information from, the infected devices. The FBI is providing notice to U.S. owners of devices that were affected by [the] court-authorized operation. The FBI is contacting those victims through their internet service provider, who will provide notice to their customers.”
Article Topics
China | cybersecurity | data privacy | data protection | FBI | malware
Comments