news

The UK and inter­na­tion­al allies are urg­ing indi­vid­u­als and organ­i­sa­tions to take pro­tec­tive action after expos­ing a glob­al net­work of com­pro­mised inter­net-con­nect­ed devices oper­at­ed by a Chi­na-linked com­pa­ny and used for mali­cious purposes.

The Nation­al Cyber Secu­ri­ty Cen­tre (NCSC) – a part of GCHQ – has issued a new advi­so­ry along­side part­ners in the Unit­ed States, Aus­tralia, Cana­da, and New Zealand which reveals how a com­pa­ny based in Chi­na with links to China’s gov­ern­ment has man­aged a bot­net con­sist­ing of over 260,000 com­pro­mised devices around the world.

A bot­net is a net­work of inter­net-con­nect­ed devices that are infect­ed with mal­ware and con­trolled by a group to con­duct co-ordi­nat­ed cyber attacks with­out the own­ers’ knowledge.

The com­pro­mised devices include routers, fire­walls, and Inter­net of Things (IoT) devices – includ­ing web­cams and CCTV cam­eras – which can then be used by the actors for a vari­ety of mali­cious pur­pos­es, such as anony­mous mal­ware deliv­ery and dis­trib­uted denial of ser­vice (DDoS) attacks.

The advi­so­ry names Integri­ty Tech­nol­o­gy Group as respon­si­ble for con­trol­ling and man­ag­ing the bot­net, which has been active since mid-2021, and has been utilised by the mali­cious cyber actor com­mon­ly known as Flax Typhoon.

The advi­so­ry shares tech­ni­cal details and mit­i­ga­tion advice to help defend against mali­cious activ­i­ty deliv­ered through this bot­net. It also high­lights the risk to own­ers of how unpatched and end-of-life equip­ment can be exploit­ed by mali­cious cyber actors.

Paul Chich­ester, NCSC Direc­tor of Oper­a­tions, said: 

“Bot­net oper­a­tions rep­re­sent a sig­nif­i­cant threat to the UK by exploit­ing vul­ner­a­bil­i­ties in every­day inter­net-con­nect­ed devices with the poten­tial to car­ry out large-scale cyber attacks.

“Whilst the major­i­ty of bot­nets are used to con­duct co-ordi­nat­ed DDoS attacks, we know that some also have the abil­i­ty to steal sen­si­tive information.

“That’s why the NCSC, along with our part­ners in Five Eyes coun­tries, is strong­ly encour­ag­ing organ­i­sa­tions and indi­vid­u­als to act on the guid­ance set out in this advi­so­ry – which includes apply­ing updates to inter­net-con­nect­ed devices – to help pre­vent their devices from join­ing a botnet.”

As with sim­i­lar bot­nets, the bot­net described in this advi­so­ry is com­posed of a net­work of devices, known as bots, which are infect­ed with a type of mal­ware that pro­vides threat actors with unau­tho­rised remote access.

To recruit a new ​‘bot’, the bot­net sys­tem first com­pro­mised an inter­net-con­nect­ed device using a known vul­ner­a­bil­i­ty exploit which then pro­vides access to estab­lish a remote com­mand and con­trol execution.

Read the full advi­so­ry and mit­i­ga­tion advice here:

https://​www​.ncsc​.gov​.uk/​n​e​w​s​/​n​c​s​c​-​a​n​d​-​p​a​r​t​n​e​r​s​-​i​s​s​u​e​-​a​d​v​i​c​e​-​t​o​-​c​o​u​n​t​e​r​-​c​h​i​n​a​-​l​i​n​k​e​d​-​c​a​m​p​a​i​g​n​-​t​a​r​g​e​t​i​n​g​-​t​h​o​u​s​a​n​d​s​-​o​f​-​d​e​vices