This post is also available in:
עברית (Hebrew)
Recently, the FBI issued a warning regarding China-affiliated cyber actors who have compromised over 260,000 internet-connected devices, primarily routers, to form a large network of bots (botnet).
The FBI advisory explains that the botnet uses a network of bots infected with malware to grant unauthorized remote access to the attackers. The primary targets for this threat actor include small office/home office (SOHO) routers, firewalls, network-attached storage (NAS), and Internet of Things (IoT) devices, such as webcams. The hackers utilized this botnet for various malicious activities, including distributed denial of service (DDoS) attacks and concealing identities online. As of June 2024, the botnet’s most significant presence is in the United States, with approximately 126,000 compromised devices. Other affected countries include Vietnam with 21,100 devices and Germany with 18,900.
According to the FBI advisory, the botnet is controlled by Chinese company Integrity Technology Group and has been active since 2021. The FBI further explains that the same IP addresses used by the China Unicom Beijing Province Network, which manages the botnet, have been linked to intrusion attempts against U.S. targets. These activities are associated with various threat groups, including Flax Typhoon, RedJuliett, and Ethereal Panda.
The attackers use Mirai malware to hack the devices, exploiting known vulnerabilities to deploy a malware payload. Research has identified over 80 subdomains linked to the botnet’s command and control (C2) servers, revealing a database containing more than 1.2 million records of compromised devices.
In response to the threat, the FBI has successfully disrupted the actor’s operations by reclaiming thousands of compromised devices. The Chinese Embassy in Washington has denied the allegations, claiming that U.S. authorities have made baseless accusations against China.
The FBI advises device owners to take preventive measures, including disabling unused services, implementing network segmentation, monitoring for unusual traffic, applying timely updates, replacing default passwords, periodically rebooting devices, and replacing outdated equipment.
