Critical Infrastructure Security, Endpoint/Device Security, Threat Intelligence

Chinese hackers build massive IoT botnet, feds warn

botnet bot-net computer virus

A trio of U.S. government agencies are banding together in an effort to dismantle a Chinese government-backed botnet.

The FBI, National Security Agency (NSA), and Cyber National Mission Force (CNMF) joined forces to warn the public of a looming threat posed by a massive botnet of hundreds of thousands of compromised routers and Internet of Things (IoT) devices.

Known as Integrity Technology Group (Integrity Tech), the alleged hackers are said to be working with the backing of the People's Republic of China (PRC). The compromised devices are said to be a mixture of consumer and small business routers, as well as IoT devices.

“The botnet has regularly maintained between tens [of thousands] to hundreds of thousands of compromised devices. As of June 2024, the botnet consisted of over 260,000 devices,” the advisory reads.

“Victim devices which are part of the botnet have been observed in North America, South America, Europe, Africa, Southeast Asia and Australia.”

According to the agencies, the aim of the Integrity Tech operation is to construct a platform for distributed denial of service (DDoS) attacks. The ultimate goal, however, could be more sinister.

DDoS attacks are commonly used as a front for network intrusion attacks. The attacker sends a DDoS to distract administrators and, while defenders are busy handling the DDoS the attackers perform their network intrusion exploits.

According to the agencies, the attackers did little to hide their tracks. The botnet activity was traced back to the same Beijing addresses associated with previous PRC-linked hacking operations.

“In addition to managing the botnet, these same China Unicom Beijing Province Network IP addresses were used to access other operational infrastructure employed in computer intrusion activities against U.S. victims,” the agencies said.

“FBI has engaged with multiple U.S. victims of these computer intrusions and found activity consistent with the tactics, techniques, and infrastructure associated with the cyber threat group known publicly as Flax Typhoon, RedJuliett, and Ethereal Panda.”

The malware itself is said to be a variant on the Mirai family. Because the malware sits within the memory on devices, in some cases it can be removed by a simple restart. In other cases, users and administrators can remove it by installing firmware updates.

As such, the agencies advised users and administrators to make sure their hardware is up to date and falls under the vendor’s support plan.

Shaun Nichols

A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds