A botnet operated by the Chinese state-sponsored threat actor known as Flax Typhoon has been disrupted by the law enforcement agency and abandoned by the group, FBI Director Chris Wray confirmed on Wednesday.
“We executed court-authorized operations to take control of the botnet’s infrastructure. When the bad guys realized what was happening, they tried to migrate their bots to new servers and even conducted a distributed denial-of-service attack against us,” he told the audience at the 2024 Aspen Cyber Summit.
“Working with our partners, we were able to not only mitigate their attack, but also identify their new infrastructure in a matter of hours. At that point, as we began pivoting to their new servers, we think the bad guys realized that it was the FBI and our partners that they were up against. And, with that realization, they burned down their new infrastructure and abandoned their botnet.”
Wray also said that the Integrity Technology Group – a company based in the People’s Republic of China (PRC) with links to the government – is responsible for controlling and managing the botnet. “Their chairman has publicly admitted that for years his company has collected intelligence and performed reconnaissance for Chinese government security agencies,” he noted.
About Flax Typhoon’s botnet
A joint advisory authored by the FBI and partner agencies from Five Eyes countries released today says the botnet has been active since mid-2021. Lumen’s Black Lotus Labs researchers, who also published a report about the botnet on Wednesday, say that its inception goes back even further, to May 2020.
Dubbed “Raptor Train” by Black Lotus Labs, the botnet is powered by a Mirai malware variant (“Nosedive”) that can be implanted on a variety of networking (modems, routers) and IoT devices (IP cameras, digital video recorders, network-attached storage) by exploiting a long list of known vulnerabilities.
Similarly to the Qakbot botnet, the Raptor Train botnet had a multi-tier network architecture.
The network architecture and tiering structure of Flax Typhoon’s botnet (Source: Black Lotus Labs)
The compromised devices – Tier 1 nodes – are compromised and directed from Tier 2 command and control virtuals servers, which in their turn are managed from Tier 3 servers.
“The actors used specific IP addresses registered to China Unicom Beijing Province Network to access this application, including the same IP addresses previously used by Flax Typhoon to access the systems used in computer intrusion activities against U.S.-based victims,” says the FBI.
The Bureau claims that, as of June 2024, the botnet consisted of over 260,000 devices located accross the world, but predominantly in the US. Black Lotus Labs researchers say that “the number of active Tier 1 nodes [i.e., infected devices] is constantly fluctuating,” and that tens of thousands of actively compromised devices check into Tier 2 C2 servers at any given time.
“The average lifespan of an active Tier 1 node (compromised device) is approximately 17 days and most of the Nosedive implants do not have a method of persistence, which is a sign the operators are not concerned with the regular rotation of compromised devices. The massive scale of vulnerable devices on the internet allows the actors to forgo persistence mechanisms and regularly exploit new devices to meet operational needs,” they explained.
After taking control of the botnet’s computer infrastructure, the authorities sent disabling commands to the malware on the infected devices,” the US Department of Justice stated.
“The government’s malware disabling commands, which interacted with the malware’s native functionality, were extensively tested prior to the operation. As expected, the operation did not affect the legitimate functions of, or collect content information from, the infected devices. The FBI is providing notice to U.S. owners of devices that were affected by this court-authorized operation. The FBI is contacting those victims through their internet service provider, who will provide notice to their customers.”
Prevent your devices from being roped into botnets
Flax Typhoon is known for targeting organizations in Taiwan for (likely) espionage purposes.
“Black Lotus Labs has discovered activity from this network targeting U.S. and Taiwanese entities in the military, government, higher education, telecommunications, defense industrial base (DIB) and information technology (IT) sectors. In addition, possible exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure appliances have sprung from nodes associated with this botnet,” the researchers shared.
“While Black Lotus Labs has yet to see any DDoS attacks originating from Raptor Train, we suspect this is an ability the China-based operators preserve for future use.”
Director Wray pointed out that, while the disruption of this botnet was successful, the action was just one round in a much longer fight.
“The Chinese government is going to continue to target your organizations and our critical infrastructure—either by their own hand or concealed through their proxies. And we’ll continue to work with our partners to identify their malicious activity, disrupt their hacking campaigns, and bring them to light,” he added.
It’s expected that this and others threat groups will continue building new and grow old botnets, so network defenders are advised to replace end-of-life equipment, regularly apply patches and updates, replace default passwords with strong passwords, disable unused services and ports, implement network segmentation, and plan for device reboots to prevent devices getting roped into botnets.
Most of these recommendations should also be taken to hart by consumers, as well. Regularly rebooting IoT and networking devices is, for example, an easy way to remove fileless malware from their memory (though it may disrupt legitimate activity).