A joint cybersecurity advisory issued by the Federal Bureau of Investigation (FBI), Cyber National Mission Force (CNMF), and National Security Agency (NSA) has revealed that hackers linked to the People’s Republic of China (PRC) have compromised thousands of Internet-connected devices.
That includes small office/home office (SOHO) routers, firewalls, network-attached storage (NAS), and Internet of Things (IoT) devices, to create a massive botnet.
The advisory, released on September 18, 2024, highlights the threat posed by these actors and their botnet activity, urging exposed device vendors, owners, and operators to update and secure their devices to prevent further compromise.
The botnet, managed by a PRC-based company named Integrity Technology Group, has been active since mid-2021 and has consistently maintained tens to hundreds of thousands of compromised devices.
As of June 2024, the botnet consisted of over 260,000 devices, with victim devices identified in North America, South America, Europe, Africa, Southeast Asia, and Australia.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
Botnet Devices by Country
| Country | Node Count | Percentage |
|---|---|---|
| United States | 126,000 | 47.9% |
| Vietnam | 21,100 | 8.0% |
| Germany | 18,900 | 7.2% |
| Romania | 9,600 | 3.7% |
| Hong Kong | 9,400 | 3.6% |
| Canada | 9,200 | 3.5% |
| South Africa | 9,000 | 3.4% |
| United Kingdom | 8,500 | 3.2% |
| India | 5,800 | 2.2% |
| France | 5,600 | 2.1% |
| Bangladesh | 4,100 | 1.6% |
| Italy | 4,000 | 1.5% |
| Lithuania | 3,300 | 1.3% |
| Albania | 2,800 | 1.1% |
| Netherlands | 2,700 | 1.0% |
| China | 2,600 | 1.0% |
| Australia | 2,400 | 0.9% |
| Poland | 2,100 | 0.8% |
| Spain | 2,000 | 0.8% |
The hackers used various known vulnerability exploits to compromise devices, including those from vendors such as Zyxel, Fortinet, and QNAP, among others.
The compromised devices were then infected with a customized version of the Mirai malware, which allows threat actors to control the devices remotely and use them for malicious activities such as distributed denial of service (DDoS) attacks and routing nefarious Internet traffic.
The botnet’s command and control (C2) servers were managed using a tier of upstream management servers, which hosted a MySQL database containing information on compromised devices.
The actors used specific IP addresses registered to China Unicom Beijing Province Network to access the botnet management application, known as “Sparrow,” which allowed them to interact with the botnet and issue commands to victim devices.
The advisory provides detailed information on the botnet’s infrastructure, including a list of subdomains associated with the C2 servers and the vulnerabilities exploited to add devices to the botnet.
It also offers recommended mitigations for network defenders to protect against the PRC-linked cyber actors’ botnet activity, including disabling unused services and ports, implementing network segmentation, monitoring for high network traffic volume, applying patches and updates, and replacing default passwords with strong passwords.
The growing threat of state-sponsored cyberattacks and the importance of robust cybersecurity measures to protect against such threats.
Device owners and operators are urged to take immediate action to secure their devices and prevent further compromise.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial