Western cybersecurity agencies have issued a new advisory warning of a large-scale botnet, managed by a China-based company with links to the Chinese government.
The botnet is understood to consist of 260,000 devices and runs Mirai malware. These include firewalls, network-attached storage, SoHo routers and IoT devices, including webcams. The botnet could be used for distributed denial of service attacks (DDoS), to compromise networks or for malware delivery.
According to the joint cybersecurity advisory, issued by the NSA, FBI and Cyber National Mission Force, the botnet is controlled and managed by Integrity Technology Group, based in the People’s Republic of China.
The company, the advisory says, has links to the Chinese government and uses China Unicom Beijing Province Network IP addresses to control the network.
The botnet appears to have operated since mid-2021 and – according to the FBI and partner agencies – shows “activity consistent with the tactics, techniques, and infrastructure” of the cyber-threat group Flax Typhoon. Flax Typhoon is also known as RedJuliett, and Ethereal Panda.
Victim devices have been discovered in North and South America, Europe, Africa, Southeast Asia and Australia.
The majority of the botnet devices (51.3%) were discovered in North America, with European devices accounting for 24.9% of the bots.
Read more about botnets: US-Led Operation Takes Down World’s Largest Botnet
Investigators found at least 50 different Linux operating systems on bot devices. Although many of the devices are likely still supported by manufacturers, the agencies warned that some infected systems had ceased receiving support as long ago as 2016.
Update Devices to Prevent Botnets
The NSA is calling on device owners, operators and manufacturers to update their equipment to protect against botnet infections.
Owners should take action including regular patching, using strong passwords and disabling unused services and ports.
“The botnet incorporates thousands of US devices with victims in a range of sectors,” said Dave Luber, the NSA’s cybersecurity director. “The advisory provides new and timely insight into the botnet infrastructure, the countries where compromised devices are located, and mitigations for securing devices and eliminating this threat.”
“Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber-attacks,” added Paul Chichester, director of operations at the UK’s NCSC.
“That’s why the NCSC, along with our partners in Five Eyes countries, is strongly encouraging organisations and individuals to act on the guidance set out in this advisory – which includes applying updates to internet-connected devices – to help prevent their devices from joining a botnet.”
As well as the US and UK, the joint advisory was issued by security agencies in Canada, Australia and New Zealand.