Security

Cyber-crime

FBI boss says China 'burned down' 260,000-device botnet when confronted by Feds

Plus: Wray tells how bureau helps certain victims negotiate with ransomware crooks


China-backed spies are said to have tore down their own 260,000-device botnet after the FBI and its international pals went after them.

The botnet was controlled by the somewhat misnamed Integrity Technology Group, a Chinese business whose chairman has admitted that for years his company has "collected intelligence and performed reconnaissance for Chinese government security agencies," FBI Director Christopher Wray said at the Aspen Digital computer security conference on Wednesday. The internet-connected bots consisted of PCs, servers, and Internet-of-Things gadgets infected with remote-control malware, and more than half of which were in the US.

A Beijing-run crew called Flax Typhoon had been building the Mirai-based botnet since 2021 and was accused of spying on Taiwanese networks by Microsoft in 2023, although that claim is disputed.

Wray said Flax was lately taking aim at US critical infrastructure, government, and academics. The FBI's Cyber National Mission Force (CNMF) was called in, along with the NSA.

It was "all hands on deck," Wray recounted, and his agents took control over the botnet's command and control servers - after getting court authorization to do so. The Chinese team launched a DDoS strike against the Americans to disrupt them, and then tried to switch to backup control systems for the botnet, but were thwarted again. Then China gave up.

"We think the bad guys finally realized it was the FBI and our partners that they were up against, and with that realization, they essentially burned down their new infrastructure and abandoned their botnet," said Wray.

According to an advisory [PDF] issued to coincide with Wray's speech, the Flax Typhoon crew had an SQL database containing details of 1.2 million records on compromised and hijacked devices that they had either previously used or were currently using for the botnet.

Additionally, the botnet used customized Mirai malware to exploit known vulnerabilities in internet-connected devices to commandeer them, installing a payload that communicated with command-and-control servers via TLS on port 443. Investigators found over 80 subdomains on w8510.com linked to the command-and-control servers as of this month, per the advisory.

FBI promises big cash savings on ransomware

Wray also lauded the efforts of his agency to defeat ransomware gangs where possible, and help negotiate settlements for victims if all else fails.

The FBI has developed and shared decryption keys for unscrambling files on infected machines after reverse-engineering various ransomware binaries over the past two years, and has helped nearly 1,000 organizations around the world recover their data, saving them over $800 million, he said - not to mention some of the time spent clearing up after an attack.

He cited the case of the Los Angeles Unified School District (LAUSD) ransomware infection, where America's second largest school system was hit over the Labor Day weekend in 2022. The FBI had a team there within an hour, Wray said, and had "priority systems" back online before the long weekend was over.

Then Wray made a surprising admission - the FBI will help negotiate with criminals when victims choose to pay up. We assume that will happen if an extorted organization is in a particularly sensitive bind.

He cited a case last summer where an unnamed US cancer treatment center was crippled by ransomware, leaving patients stuck without the urgent care they needed to survive.

"It's hard to think of a case where the criminals were more callous or when getting back online fast mattered more," Wray said. The center called in the FBI team immediately and they set to work, trying to decrypt the health facility's scrambled infected servers.

"In addition to technical experts we also deployed crisis negotiators. We were helping the center negotiate the ransom payment, getting it from $450,000 down to $50,000," he recounted.

"Using the decryption key the hackers then provided, the center was able to resume operations days after the attack. In that instance, it was not only time saving to work with the bureau but, according to the cancer center, it was also lifesaving."

The admission that the FBI is facilitating payments is somewhat of a shift in the agency's stance. It used to be very hard line about not paying off cyber-extortionists, although in 2019, it did adjust its position slightly in acknowledging that payment was an option for some businesses. FBI agents being directly involved in negotiating with malware slingers seems a new step.

The White House meanwhile is trying to negotiate an international treaty to ban government bodies from paying cyber-ransoms, hosting a Counter Ransomware Initiative (CRI) summit last year to persuade other countries to sign up. ®

Send us news
21 Comments

Another banner year for ransomware gangs despite takedowns by the cops

And it doesn't take a crystal ball to predict the future

Security pros more confident about fending off ransomware, despite being battered by attacks

Data leak, shmata leak. It will all work out, right?

If Ransomware Inc was a company, its 2024 results would be a horror show

35% drop in payments across the year as your backups got better and law enforcement made a difference

FBI's secret UFO hunters fear Trump's January 6 purge will send them into orbit

Maybe Musk just wants the alien space tech that definitely doesn't exist?

Ransomware attack at New York blood services provider – donors turned away during shortage crisis

400 hospitals and med centers across 15 states rely on its products

Why is my Mitel phone DDoSing strangers? Oh, it was roped into a new Mirai botnet

And now you won't stop calling me, I'm kinda busy

US cranks up espionage charges against ex-Googler accused of trade secrets heist

Mountain View clocked onto the scheme with days to spare

Baguette bandits strike again with ransomware and a side of mockery

Big-game hunting to the extreme

CDNs: Great for speeding up the internet, bad for location privacy

Also, Subaru web portal spills user deets, Tornado Cash sanctions overturned, a Stark ransomware attack, and more

Court rules FISA Section 702 surveillance of US resident was unconstitutional

'Public interest alone does not justify warrantless querying' says judge

Ransomware scum make it personal for <i>Reg</i> readers by impersonating tech support

That invitation to a Teams call on which IT promises to mop up a spamstorm may not be what it seems

UK floats ransomware payout ban for public sector

Stronger proposals may also see private sector applying for a payment 'license'