China-linked campaign targeting thousands of devices

NCSC and partners issue advice to counter China-linked campaign targeting thousands of devices

Joint advisory highlights the risk of malicious cyber actors exploiting internet-connected devices and gives mitigation advice.

The UK and international allies are urging individuals and organisations to take protective action after exposing a global network of compromised internet-connected devices operated by a China-linked company and used for malicious purposes.

The National Cyber Security Centre (NCSC) – a part of GCHQ – has today (Wednesday) issued a new advisory alongside partners in the United States, Australia, Canada, and New Zealand which reveals how a company based in China with links to China’s government has managed a botnet consisting of over 260,000 compromised devices around the world.

A botnet is a network of internet-connected devices that are infected with malware and controlled by a group to conduct co-ordinated cyber attacks without the owners’ knowledge.

The compromised devices include routers, firewalls, and Internet of Things (IoT) devices – including webcams and CCTV cameras – which can then be used by the actors for a variety of malicious purposes, such as anonymous malware delivery and distributed denial of service (DDoS) attacks.

The advisory names Integrity Technology Group as responsible for controlling and managing the botnet, which has been active since mid-2021, and has been utilised by the malicious cyber actor commonly known as Flax Typhoon.

The advisory shares technical details and mitigation advice to help defend against malicious activity delivered through this botnet. It also highlights the risk to owners of how unpatched and end-of-life equipment can be exploited by malicious cyber actors.

Paul Chichester, NCSC Director of Operations, said: 

“Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber attacks.

“Whilst the majority of botnets are used to conduct co-ordinated DDoS attacks, we know that some also have the ability to steal sensitive information.

“That’s why the NCSC, along with our partners in Five Eyes countries, is strongly encouraging organisations and individuals to act on the guidance set out in this advisory – which includes applying updates to internet-connected devices – to help prevent their devices from joining a botnet.”

As with similar botnets, the botnet described in this advisory is composed of a network of devices, known as bots, which are infected with a type of malware that provides threat actors with unauthorised remote access.

To recruit a new ‘bot’, the botnet system first compromised an internet-connected device using a known vulnerability exploit which then provides access to establish a remote command and control execution.

This advisory has been co-sealed by the NCSC and agencies in the United States, Australia, Canada, and New Zealand.