FBI Successfully Disrupts Flax Typhoon Botnet, Protecting Thousands of IoT Devices

A recent cyber operation initiated by the FBI's Cyber Action Team against the Chinese botnet operated by the threat group known as Flax Typhoon, also associated with the Integrity Technology Group, underscores a critical disruption in the defense against state-sponsored cybercrime. As detailed by FBI Director Christopher Wray during the 2024 Aspen Cyber Summit, the agency has successfully disrupted the activities of Flax Typhoon, which has notoriously infected a myriad of Internet of Things (IoT) devices across various sectors. This group, under the guise of a security company, has been collecting intelligence and performing reconnaissance for Chinese government security agencies, posing a significant threat to both national and global cybersecurity landscapes. "Known as Flax Typhoon, they represent themselves as an information security company—the Integrity Technology Group. But their chairman has publicly admitted that for years his company has collected intelligence and performed reconnaissance for Chinese government security agencies," said Wray.

Flax Typhoon has been leveraging these IoT devices, including cameras, video recorders, and storage devices, to form a robust botnet that facilitates system compromises and data exfiltration. Approximately half of these hijacked devices were located within the U.S., indicating the domestic impact of this foreign threat. The FBI's intervention involved using court-authorized operations to take control of the botnet’s infrastructure, which not only severed the connection to these compromised devices but also thwarted a retaliatory DDOS attack by the threat actors. Along with the threat of Flax Typhoon, another prominent threat group under the operation of China is Volt Typhoon, whose objectives are more aligned with critical infrastructure. In December 2023, a disruption effort dismantled the botnet of hundreds of small office/home office (SOHO) routers within the United States operated by Volt Typhoon.

Director Wray's remarks highlight the broader implications of such cyber threats, stating, "Cybercriminals and nation-state hackers, alike, have demonstrated they’re not only willing but increasingly able to hit the services people really cannot live without: things like hospitals and schools, utility companies, and transportation providers." Adding to the urgency, Director Wray warns that "Between 2021 and 2024, 15 of our country’s 16 critical infrastructure sectors—sectors like telecommunications, energy, emergency services—fell victim to ransomware, and that’s just ransomware."