U.S. and allies seize control of massive Chinese tech spying network
The United States and allied countries said Wednesday they had taken control of a network of 260,000 internet-connected cameras, routers and other devices that the Chinese government had been using to spy on sensitive organizations.
The operation, which occurred last week, took aim at a botnet known as Flax Typhoon, which U.S. officials said was run by a government contractor in Beijing, a publicly traded company called Integrity Technology Group. The FBI won a court order to send the infected devices commands that detached them from the network.
U.S. authorities said the cyberspies used the devices as steppingstones to hide their tracks when they breached government and industry institutions in America, Taiwan and elsewhere. The authorities cited the same intention after a previous seizure in December and January.
“This was another successful disruption, but make no mistake, it’s just one round in a much longer fight,” FBI Director Christopher A. Wray said Wednesday at the Aspen Cyber Summit in Washington. “The Chinese government is going to continue to target your organizations and our critical infrastructure either by their own hand or concealed through their proxies.”
The botnet targeted critical infrastructure — from corporations and media organizations to universities and government agencies — in the United States and in other countries with the aim of filching confidential data, Wray said. The actions caused “real harm” to victims seeking to remove the malware, he said.
For one organization in California, for instance, he said, it was an “all-hands-on-deck” incident requiring IT staff to work long hours to replace the hardware, “which took swaths of the organization offline and caused a significant financial loss.”
Wray also confirmed that Volt Typhoon had breached U.S. telecom companies, as The Washington Post reported last month.
A joint advisory from intelligence agencies in the United States, Canada, the United Kingdom, Australia and New Zealand said nearly half of the infected devices were located in the United States, followed by Vietnam and Germany. It said some of them had been without manufacturer support for years, while others were still being supported.
The earlier takedown struck at a hacker group affiliated with the Chinese People’s Liberation Army known as Volt Typhoon. That group used a compromised network of office routers to gain access to power and water utilities as well as communications and transportation systems and preserve the ability for disruptive and destructive attacks, the FBI said.
Flax Typhoon, in contrast, was interested more in traditional espionage and information theft. Microsoft previously wrote that the hackers in the group went after telecommunications targets and concentrated on Taiwan.
Lumen Technologies said in a report Wednesday that it had seen Flax Typhoon go after targets in the military, government, higher education, telecommunications, defense industrial base and information technology. Lumen said it was controlled in a sophisticated manner and was one of the largest Chinese state-sponsored networks of its kind, composed primary of routers.
The Chinese embassy disputed the Justice Department’s account. “Without valid evidence, the U.S. jumped to an unwarranted conclusion and made groundless accusations against China,” spokesman Liu Pengyu said in an email. “It is extremely irresponsible and is a complete distortion of facts.”
Integrity Technology Group could not be reached for comment.
The seizure follows increased statements of concern about the security of the “internet of things,” such as routers and surveillance cameras. Industry experts have been pressing for accountability by manufacturers, especially for older devices that keep functioning after updates and other support have been cut off.