A court-authorized law enforcement operation has disrupted a massive botnet comprising over 200,000 infected network devices across the United States and beyond. The botnet was controlled by state-sponsored hackers from the People’s Republic of China (PRC), tracked by threat intelligence teams as “Flax Typhoon.” The group is operating through the Beijing-based company Integrity Technology Group, according to the US Department of Justice.
Flax Typhoon, which has been active since 2021, has reportedly targeted government agencies, critical infrastructure, educational institutions, and information technology firms, focusing primarily on Taiwan but also extending its activities to US corporations, telecommunications providers, universities, and media outlets.
Recently unsealed court documents revealed that the botnet included small-office/home-office (SOHO) routers, internet protocol (IP) cameras, digital video recorders (DVRs), and network-attached storage (NAS) devices infected with a variant of the Mirai malware familiy. The malware allowed hackers to blend their traffic with legitimate internet usage, making detection difficult.
The FBI’s operation, authorized by the court, took control of the hackers' command-and-control infrastructure. As part of the effort, the FBI transmitted commands that disabled the malware operating on infected devices, breaking the botnet’s network. During the operation, cybercriminals attempted to disrupt the FBI’s actions by launching a distributed denial-of-service (DDoS) attack against the agency’s infrastructure. However, these attempts failed, the FBI said.
The agency, along with the National Security Agency, US Cyber Command’s Cyber National Mission Force, and partner agencies in Australia, Canada, New Zealand and the UK, released a security advisory detailing the botnet’s inner workings, as well as providing mitigations to prevent malware infections in the future.
The investigation revealed that Integrity Technology Group was a central figure in Chinese cyber espionage. Through an online platform branded “KRLab,” Integrity Technology Group offered its users a suite of malicious tools, referred to as a “vulnerability-arsenal,” enabling them to exploit infected devices and execute cyberattacks. These tools were integrated into an accessible online application, allowing hackers to remotely control the botnet and carry out sophisticated cyber operations.
The law enforcement operation neutralized the botnet without compromising the legitimate functionality of infected devices, and no personal data was accessed during the process, the authorities said.
