The US Treasury Department’s Office of Foreign Assets Control (OFAC) has issued sanctions against a Beijing-based cybersecurity company for its role in an attack by the Chinese cyberespionage group known as Flax Typhoon.
The company, called Integrity Technology Group (Integrity Tech), is accused of providing the computer infrastructure that Flax Typhoon used in its operations between the summer of 2022 and the fall of 2023.
However, according to the joint advice of the FBI, NSA and intelligence agencies from Canada, Australia and the UK, the company also maintained a command and control infrastructure for the botnet that included more than 260,000 IoT devices.
“Integrity Technology Group (Integrity Tech) is a PRC-based company with links to the PRC government,” the organizations said in their advisory at the time. “Integrity Tech used the IP addresses of the China Unicom Beijing Province Network to control and manage the botnet described in this advisory. In addition to running the botnet, these same IP addresses on the China Unicom Beijing Province Network were used to access other operating infrastructures used in intrusion operations on US victims’ computers.”
This malicious operation, which includes endangering American organizations in the critical infrastructure sector, is said to be caused by Flax Typhoon, which is a Chinese state-sponsored cyberespionage group since 2021 and also known as RedJuliett and Ethereal Panda.
OFAC’s sanctions block all Integrity Tech assets located in the US or controlled by US persons. Assets of businesses in which Integrity Tech has more than 50% ownership are also banned and all individuals and organizations are prohibited from engaging in commercial or financial activities with them or the Chinese company.
Flax Typhoon global IoT botnet
The Flax Typhoon botnet dates back to at least 2021 and is based on Mirai, a family of malware for Linux-based IoT devices whose code is publicly available. Prior to 2016, Mirai used to be the largest and most powerful IoT botnet, responsible for the largest DDoS attacks ever recorded. After it was abandoned by its creator and its code was published online, many threat groups built their own botnet variants based on it.
The Flax Typhoon botnet uses known exploits to compromise routers, firewalls, IP cameras, digital video recorders, network attached storage devices and other Linux-based servers. As of June, the botnet has more than 260,000 active nodes, but the database on its command and control servers listed more than 1.2 million vulnerable devices, active and inactive, 385,000 of which were based in the US.
“Administrative servers host an application known as Sparrow that allows users to interact with the botnet,” the intelligence agencies said in their September advisory. “The actors used certain IP addresses registered on the China Unicom Beijing Province Network to access this application, including the same IP addresses previously used by Flax Typhoon to access systems used in computer intrusion operations against US-based victims.”
The Flax Typhoon botnet can be used to launch DDoS attacks, which is part of Mirai’s environment, but nodes can also be instructed to exploit other native devices on the same networks by using a set of exploits. Analysts have discovered a small part of the so-called “vulnerability arsenal” that could be used for such lateral movement operations.
Flax Typhoon has compromised computer networks in North America, Europe, Africa and Asia, but the group is particularly focused on Taiwan, which is central to China’s national interests. Once they gain access to a network of interests, gang members often deploy legitimate remote access systems to maintain continued control.
Earlier this week, the Ministry of Finance revealed that the Chinese government-backed APT group had gained access to many of its operations and obtained anonymous documents. Access resulted from a compromised key used for secure remote access through a third-party service from BeyondTrust. The APT group responsible has not been publicly identified.
Source link