The FBI recently managed to dismantle a massive Chinese state-sponsored cyberattack in a joint operation. The hacker group, known by the name of Flax Typhoon, used a botnet to attack thousands of devices and gain access to the US and overseas data. The ultimate goal of the attack was to create disruption and steal sensitive data. The botnet primarily targeted devices such as digital video recorders, IoT gadgets, and routers, thereby making it a highly sophisticated network dedicated to carrying out malicious cyberattacks.
The work process of this threat group was slightly different than that of its counterpart- the Volt Typhoon. The latter used to target only routers. Flax Typhoon, on the other hand, targets a wide variety of IoT devices. This further makes it difficult for cybersecurity experts to detect and disrupt the botnet.
The FBI worked closely with other international partners and launched a court-authorized operation where the goal was to operate with the primary goal of taking complete control of the botnet. The next obvious goal was to remove malware from all the affected devices.
The hacker group, Flax Typhoon, used DDoS or a Distributed Denial of Service in order to stop the FBI’s actions. However, the FBI and other agencies managed to mitigate the same conveniently.
Director Chris Wray believes that the battle is a long one and is definitely to be continued for a long time now. He considers the FBI’s win as merely the first round. The major challenge that the US cybersecurity teams faced was that the botnet was not being operated by the Chinese government. Rather, the botnet was under the control of entities like the Integrity Technology Group. The enterprise claims itself to be a private information security company.
However, they have also accepted the responsibility of conducting reconnaissance and gathering intelligence for Chinese government agencies. The malware by Integrity Technology Group has affected over 260,000 devices around the world. The majority of the victims are concentrated in Southeast Asia, Australia, and the US. Flax Typhoon has attacked the manufacturing and IT sectors in Taiwan so far. It has also targeted government organizations, foreign universities, media organizations, and corporations in the US.
US Governments’ preparations against Chinese state-sponsored attacks
In order to combat the Chinese state-sponsored cyber intrusions, the Biden government has been aiming to increase the costs and risks for Chinese hackers. The Deputy National Security Adviser for Cyber and Emerging Technologies– Anne Neuberger, believes that there is a dire need for stronger digital defenses.
This is all the more true for both critical infrastructure networks and government entities. The key idea is to make it more expensive and harder for Chinese threat actors to keep up with their cyber espionage activities. One of the key strategies here involves building deterrence capabilities and preventing nation-state actors from using offensive cyber tools.
The threat intelligence arm of Lumen has been researching the botnet for a long time now. They call it the Raptor Train and have found out that the Chinese botnet has been active for the past 4 years or so. In these 4 years, Raptor Train has targeted telecommunications, military, government as well as defense sectors across Taiwan and the US.
The Black Lotus Lab team also noticed that in late 2023, a massive scanning of the US military assets was done. This hints towards potential sabotage or espionage efforts. The research team also mentioned ‘sparrow,’ the custom tool used by the Chinese botnet to exploit vulnerabilities.
The Black Lotus Lab has not yet observed any kind of DDoS attack originating from the Chinese botnet. However, they have a strong hunch that the Chinese threat groups are planning to leverage this feature for future attacks. This has raised concern regarding potential attacks on the US infrastructure. Another cause of concern is that the botnet is still active despite the FBI’s attack.
As per NSA and other international security agencies, out of the 260,000 affected devices, 126,000 devices are from the US itself. Some of these devices were old, unsupported, and out-of-date. However, the majority of the devices were still within their vendor support lifecycle. This further increases the concern about the ongoing susceptibility of critical infrastructure to Chinese state-sponsored cyberattacks.
In case any user believes that their device has been compromised, they are requested to connect with an FBI field office directly. Else, they can report the same online to CISA. They can also report their compromised device to the FBI’s Internet Crime Complaint Center (IC3).
In all these years, the US has always been suspicious of China’s involvement in cyberattacks that involve crucial US infrastructure. The US government believes that China’s ulterior motive behind these attacks is to create conflicts, especially in the Taiwan region. The experts also think of these cyberattacks as a means to create footholds that could be further exploited during military confrontation.
China, on the other hand, has always denied these accusations. They call it the US-led disinformation campaign that is allegedly aimed at maligning China’s response on a global stage. However, cybersecurity agencies and US intelligence have been working together to disrupt Chinese state-sponsored cyberattacks. This finally resulted in the FBI’s success against the threat groups Volt Typhoon and Flax Typhoon.
The battle isn’t over yet!
Experts believe that the FBI’s success is a momentary win. They believe that state-sponsored attacks, especially those designed by China, are not going to die down any time soon and that the US government and agencies must stay vigilant enough.
This joint operation is a crystal clear signal to China and other state-sponsored hacking groups that the US is ready to aggressively defend its infrastructure and networks. Also, the US government is all set to disrupt any and every kind of malicious cyberattack.
The battle against Chinese cyberattacks is expected to be a prolonged one. However, victories like this one certainly boost the confidence of national security agencies. Each success, including efforts in phishing protection, delivers a significant blow to the malicious intentions of threat groups.