Federal agencies work together to effectively take down calculated botnet the compromised more than 200,000 devices.
The Department of Justice (DOJ) recently announced a court-authorized law enforcement operation that successfully took down a botnet run by state-sponsored hackers from the People’s Republic of China (PRC). This botnet, made up of over 200,000 consumer devices both in the United States and globally, had been compromised by malware developed by hackers working for Integrity Technology Group, a Beijing-based company known in the private sector as “Flax Typhoon.” The devices infected by this malware included small office/home office (SOHO) routers, internet protocol (IP) cameras, digital video recorders (DVRs), and network-attached storage (NAS) devices. The compromised devices were manipulated into a botnet, which was used for malicious cyber activities that disguised themselves as normal internet traffic. The court-authorized operation took control of the infrastructure utilized by these hackers and issued disabling commands to the on impacted devices.
During the operation, hackers attempted to interfere with the Federal Bureau of Investigation (FBI)’s efforts through a distributed denial-of-service (DDoS) attack on the infrastructure used to carry out the court’s orders. Despite this attempt, the FBI was able to disable the botnet. Attorney General (AG) Merrick B. Garland emphasized the seriousness of the threat posed by PRC-backed hacking groups and reaffirmed the DOJ’s commitment to combating such cybercrime, stating that this operation marked the second time in 2024 that the agency had taken down a botnet used by PRC hackers to compromise consumer devices.
Deputy Attorney General Lisa Monaco highlighted the Department’s “all-tools approach” to addressing cybercrime. She explained that this botnet, managed by a Chinese government contractor, hijacked numerous private devices, allowing the PRC to exploit them. She sent a clear message to cybercriminals, declaring that they would not succeed in targeting the United States.
FBI Deputy Director Paul Abbate described the operation as a demonstration of the FBI’s commitment to protecting victims and dismantling malicious infrastructure, ensuring that cybercriminals’ tools could be turned against them. Abbate noted that the FBI’s unique legal authorities allowed it to collaborate with international partners to dismantle illegal activites.
Special Agent in Charge Stacey Moy of the FBI’s San Diego Field Office shed light on Integrity Technology Group’s role, explaining that the publicly traded company was openly selling its customers the ability to control thousands of hacked devices. The botnet, referred to as “Raptor Train” by the private sector threat intelligence group Black Lotus Labs, was first identified in July 2023. Integrity Technology Group developed an online application that allowed its customers to issue malicious cyber commands. This application, labeled “KRLab,” was a public-facing tool used by the group.
The disabling commands sent by the government were extensively tested and specifically designed to avoid disrupting legitimate device functions or collecting sensitive content. The FBI is notifying U.S. owners of affected devices through their internet service providers, who will make sure their customers are aware of the issue.
The FBI continues to investigate the computer intrusion activities of Integrity Technology Group and Flax Typhoon, maintaining its commitment to protecting global cybersecurity from state-sponsored threats. The investigation was led by the FBI’s San Diego Field Office and Cyber Division, along with support from the U.S. Attorney’s Office for the Western District of Pennsylvania, the National Security Cyber Section of the Justice Department, and the agency’s international partners.
Sources:
FBI Shuts Down Botnet Run by Beijing-Backed Hackers That Hijacked Over 200,000 Devices
Join the conversation!