Global cyber intelligence agencies have identified a botnet consisting of over 260,000 compromised devices around the world.

The UK’s NCSC, along with agencies in the USA, Australia, Canada and New Zealand, revealed a company based in China with links to China’s government managed a botnet that compromised thousands of internet-connected devices.

These included small office and home office routers, firewalls, network-attached storage and Internet of Things devices.

Responsible Company

The advisory names Integrity Technology Group as responsible for controlling and managing the botnet, which has been active since mid-2021, and has been utilised by the malicious cyber actor commonly known as Flax Typhoon.

According to a statement from the FBI, NSA and Cyber National Mission Force (CNMF), the botnet operators may have used the botnet as a proxy to conceal their identities while deploying DDoS attacks or compromising targeted US networks.

Paul Chichester, NCSC director of operations, said: “Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber-attacks.

“Whilst the majority of botnets are used to conduct coordinated DDoS attacks, we know that some also have the ability to steal sensitive information.”

Apply Updates

The agencies encouraged organisations and individuals to act on its guidance – which includes applying updates to internet-connected devices – to help prevent their devices from joining a botnet.

Commenting, Eric Knapp, CTO of OT at OPSWAT, said this advisory highlights a clear supply chain risk: specifically how compromised hardware, often sourced from particular countries of origin, can be leveraged for nation-state cyber-espionage activities. 

“This is an example of how vulnerabilities in the supply chain can lead to widespread malicious activity such as DDoS attacks and anonymous malware delivery,” he said.

“Organisations must not only discover all assets connected to their network, but also deeply understand them. For example, does that PC have a network interface card from a potentially hostile nation? Asset owners need this level of visibility to defend against threats.

“With the increasing prevalence of nation-state cyber-attacks, conducting thorough asset inventories and monitoring the origins of both hardware and software are critical steps. Also addressing risks associated with unpatched or end-of-life equipment, particularly from the supply chain, is essential for securing systems.”

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.