The US Department of Treasury’s Office of Foreign Assets Control (OFAC) has issued sanctions against a Beijing cybersecurity company for its role in attacks attributed to a Chinese cyberespionage group known as Flax Typhoon.
The company, called Integrity Technology Group (Integrity Tech), is accused of providing the computer infrastructure that Flax Typhoon used in its operations between the summer of 2022 and fall 2023.
However, according to a joint advisory by the FBI, NSA and the intelligence agencies from Canada, Australia and the UK, the company also maintained the command-and-control infrastructure for a botnet consisting of more than 260,000 compromised IoT devices.
“Integrity Technology Group (Integrity Tech) is a company based in the PRC with links to the PRC government,” the agencies said in their advisory at the time. “Integrity Tech has used China Unicom Beijing Province Network IP addresses to control and manage the botnet described in this advisory. In addition to managing the botnet, these same China Unicom Beijing Province Network IP addresses were used to access other operational infrastructure employed in computer intrusion activities against US victims.”
The malicious activity, which included compromising US organizations in the critical infrastructure sector, was attributed to Flax Typhoon, a Chinese state-sponsored cyberespionage group active since 2021 and also known as RedJuliett and Ethereal Panda.
OFAC’s sanctions block all of Integrity Tech’s assets that are in the US or in control of US persons. The assets of entities where Integrity Tech has over 50% ownership are also blocked and all individuals and organizations are prohibited from engaging in commercial or financial transactions with them or the Chinese company.
Flax Typhoon global IoT botnet
Flax Typhoon’s botnet dates to at least 2021 and is based on Mirai, a family of malware for Linux-based IoT devices whose code is publicly available. Before 2016, Mirai used to be one of the biggest and most potent IoT botnets, being responsible for some of the largest DDoS attacks ever recorded. After it was abandoned by its creator and its code was published online, many threat groups built their own botnet variants based on it.
Flax Typhoon’s botnet uses known exploits to compromise routers, firewalls, IP cameras, digital video recorders, network-attached storage devices and other Linux-based servers. As of June, the botnet had over 260,000 active nodes, but the database on its command-and-control servers listed over 1.2 million compromised devices, both active and inactive, 385,000 of which were based in the US.
“The management servers hosted an application known as Sparrow which allows users to interact with the botnet,” the intelligence agencies said in their September advisory. “The actors used specific IP addresses registered to China Unicom Beijing Province Network to access this application, including the same IP addresses previously used by Flax Typhoon to access the systems used in computer intrusion activities against US-based victims.”
Flax Typhoon’s botnet can be used to launch DDoS attacks, which is an inherent feature of Mirai, but nodes can also be commanded to exploit other traditional devices on the same networks by using a collection of exploits. Analysts found a subcomponent called the “vulnerability arsenal” that could be used for such lateral movement activities.
Flax Typhoon has compromised computer networks in North America, Europe, Africa, and Asia, but the group has a particular focus on Taiwan, which is at the center of China’s geopolitical interests. Once they gain access to a network of interest, the group’s hackers often deploy legitimate remote access programs to maintain persistent control.
Earlier this week, the Treasury Department revealed that a state-sponsored Chinese APT group gained access to a number of its workstations and accessed unclassified documents. The access was the result of a compromised key used for secure remote access through a third-party service from BeyondTrust. The APT group responsible has not yet been publicly identified.
