The UK’s National Cyber Security Centre (NCSC), alongside its partners in the Five Eyes intelligence alliance, has accused a Beijing-based company of operating as a front for the Chinese state and managing a vast botnet that encompasses over 250,000 internet-enabled devices, including approximately 8,500 located in the UK.
The affected devices comprise various enterprise network and security tools, such as routers and firewalls, in addition to Internet of Things (IoT) items like CCTV cameras and webcams. Without the knowledge of their owners, these devices are repurposed to carry out coordinated cyberattacks, including distributed denial of service (DDoS) assaults and the delivery of malware.
“Botnet operations pose a significant risk to the UK by exploiting weaknesses in everyday internet-enabled devices, enabling potential large-scale cyberattacks,” stated Paul Chichester, operations director at NCSC. “While the primary use of most botnets is for coordinated DDoS attacks, some are also capable of stealing sensitive information. For this reason, the NCSC, in collaboration with our Five Eyes partners, strongly advises organizations and individuals to follow the guidance outlined in this advisory, which includes updating their internet-connected devices to help safeguard against becoming part of a botnet.”
The company implicated, Integrity Technology Group, is headquartered in Beijing and appears to operate legitimately providing network security services. However, the joint advisory reveals that the company has also aligned itself with the Chinese government; specifically, IP addresses associated with Integrity’s China Unicom operations in Beijing have been implicated in accessing infrastructures used for cyberattacks against US entities.
Authorities have noted that the FBI has contacted several victims of these attacks, uncovering actions consistent with the tactics, techniques, and procedures (TTPs) employed by a state-sponsored advanced persistent threat (APT) group tracked as Flax Typhoon, also known as RedJuliett and Ethereal Panda, among others.
The botnet utilizes the notorious Mirai malware family to compromise devices running on Linux-based systems. Integrity exploits a range of known vulnerabilities to target these devices. Once the Mirai payload is delivered and executed, it initiates processes on the infected device to connect with Integrity’s command-and-control (C2) infrastructure using Transport Layer Security (TLS) over port 443. It collects and transmits system data—including operating system versions and memory usage—for enumeration and also queries ‘c.speedtest.net’ for additional internet connection details. Notably, some Mirai payloads are designed to self-delete to evade detection.
At a higher level, Integrity manages a set of servers over TCP port 34125 to coordinate the botnet’s C2 infrastructure. These servers maintain a MySQL database with data on compromised devices, which, as of June of this year, reportedly contains over 1.2 million records. Additionally, the servers run an application known as ‘Sparrow’ that interacts with the botnet. The code for this application is stored in a Git repository and includes functions that allow users to send commands for tasks and exploitations to the compromised devices. ‘Sparrow’ can also provide users with information on device vulnerabilities and includes a sub-component named ‘vulnerability arsenal’ that enables exploitation of traditional networks through the infected devices.
For further information on Integrity’s activities, including guidance on mitigation, please refer to the full advisory.