Chinese Hackers

[kyonides]

FBI Disrupts Chinese Botnet Infecting Thousands of US Devices

Authorities in the United States disrupted a group of Chinese hackers that infiltrated thousands of devices on behalf of China’s communist regime.

A group of Chinese state-sponsored hackers working for Integrity Technology Group, a company based in Beijing and known to the private sector as “Flax Typhoon,” used the infected devices to form a botnet to launch additional attacks, the Justice Department said on Sep. 18.

Malware was installed by the Chinese outfit on some 200,000 consumer devices in the United States and elsewhere. Infected utilities included cameras, video recorders, and home and office routers.

“The malware connected these thousands of infected devices into a botnet, controlled by Integrity Technology Group, which was used to conduct malicious cyber activity disguised as routine internet traffic from the infected consumer devices,” a statement released by the Justice Department read.

The FBI then engaged in a court-ordered operation to take control of the compromised devices and remotely disable the malware to prevent the hackers from further spying on and stealing data from universities, government agencies, and others.

Speaking at the Aspen Cyber Summit on Sept. 18, FBI Director Christopher Wray said that the government’s malware disabling commands were “extensively tested prior to the operation.”
“This was another successful disruption, but make no mistake—it’s just one round in a much longer fight,” Wray said.

“The Chinese government is going to continue to target your organizations and our critical infrastructure … and we’ll continue to work with our partners to identify their malicious activity, disrupt their hacking campaigns, and bring them to light,” he said.

Still, the hackers launched a counterattack on FBI devices, deploying a distributed denial-of-service (DDoS) campaign that targeted the infrastructure the FBI was using to take control of the devices.

“That attack was ultimately unsuccessful in preventing the FBI’s disruption of the botnet,” the Justice Department stated.

Acknowledgment of the operation comes nine months after Wray disclosed another campaign disrupted a Chinese botnet targeting critical infrastructure in the United States.

Wray testified at the time that the CCP’s intrusion into U.S. systems was unique for the extent to which it deliberately targeted civilian systems that would directly pose physical harm to Americans.

He said the malware removed in that operation was designed to disrupt, degrade, and destroy U.S. infrastructure, likely in coordination with direct military actions in the event of a conflict between the United States and China.

It is unclear if the Flax Typhoon malware served a similar purpose.

According to court documents, the Beijing-based Integrity Technology Group built an online application allowing its customers to log in and control infected victim devices with a menu of malicious cyber commands using a tool called “vulnerability-arsenal.”

The online application was prominently labeled “KRLab,” one of the main public brands used by Integrity Technology Group.

Attorney General Merrick Garland said in a statement that the cyber campaign was just one part of communist China’s robust efforts to undermine U.S. national security.

“The Justice Department is zeroing in on the Chinese government-backed hacking groups that target the devices of innocent Americans and pose a serious threat to our national security,” Garland said.

“We will continue to aggressively counter the threat that China’s state-sponsored hacking groups pose to the American people.”

The FBI will advise U.S. owners of devices affected by the operation through their internet service providers.

Charges Against Alleged Chinese Military Hacker Unsealed

Charges against Chinese national Jia Wei were unsealed on Sept. 17, alleging unlawful access to U.S. communications company networks to steal proprietary information on behalf of Chinese entities.

Wei, a member of the Chinese Communist Party’s (CCP) People’s Liberation Army (PLA), was assigned to Unit 61786, which is tasked with obtaining communications and information via hacking, according to the Department of Justice.

In March 2017, Wei and co-conspirators allegedly hacked an American company’s network about two days after the company sued a China-based competitor for theft of trade secrets.

According to the indictment, the hackers obtained documents related to the company’s “civilian and military communication devices,”  as well as “product development information, testing plans, and internal evaluations.” They also copied documents that discussed the China-based competitor.

In April 2017, the hackers allegedly tried to install malicious software on the company’s network.

The hackers continued to unlawfully access the network through May 2017, according to the indictment.

A special grand jury convened in May 2021 returned a six-count indictment in March 2022, charging Wei with wire fraud, conspiracy to commit computer intrusions, computer intrusions, and aggravated identity theft for using an employee’s account to access the company network.

Wei, also known as “chansonJW,” “JWT,” “JWT487,” “asmikace,” “asmikace3d,” “askikace3d,” and “haber william,” has not yet been arrested.

If convicted, he would face a maximum of 20 years in prison for wire fraud charges, five years in prison for conspiracy and computer intrusion charges, and two years for aggravated identity theft.

The United States has recognized CCP-backed cyber attacks as a top threat to national security. PLA hackers and other hacking rings tied to the CCP have been identified as responsible for several large-scale data breaches, such as the 2017 Equifax hack that compromised personal information, including social security numbers for 145 million Americans, 2021 Microsoft Exchange cyberattack that compromised some 10,000 networks, 2023 breach of government emails, and the ongoing “Volt Typhoon” campaign where hackers have infiltrated critical American infrastructure and are biding their time, according to FBI Director Christopher Wray.

The DOJ announced the unsealing of the indictment the same day it issued a major update of criminal charges in five separate cases resulting from the multiagency Disruptive Technology Strike Force.

The defendants include a Russian national who tried to illegally export drones to Russia and an employee of a Chinese regime-run aerospace conglomerate who allegedly tried to obtain software and source code from NASA, U.S. military branches, and the Federal Aviation Administration from 2017 to 2021.

Song Wu, a Chinese national, was indicted for running a large phishing campaign wherein he impersonated U.S.-based researchers and engineers to obtain aerospace engineering trade secrets. According to the DOJ, the technologies have industrial and military applications and could be used in the development of missiles and weapons.

Song was charged with 14 counts of wire fraud, which carries a maximum of 20 years in prison for each count, and 14 counts of aggravated identity theft, which carries a mandatory consecutive two-year term penalty.