China-backed spies dismantled their own 260,000-device botnet after the FBI, along with international partners, began pursuing them.
The botnet, controlled by the ironically named Integrity Technology Group, was operated by a Chinese business whose chairman confessed that for years the company “collected intelligence and performed reconnaissance for Chinese government security agencies,” according to FBI Director Christopher Wray at the Aspen Digital computer security conference on Wednesday.
The compromised devices, including PCs, servers, and Internet-of-Things (IoT) gadgets infected with remote-control malware, were mostly located in the U.S.
A Beijing-backed group known as Flax Typhoon had been constructing this Mirai-based botnet since 2021. Microsoft accused the group of spying on Taiwanese networks in 2023, though that claim remains disputed.
Wray explained that Flax Typhoon had recently shifted its focus toward U.S. critical infrastructure, government systems, and academic institutions. The FBI’s Cyber National Mission Force (CNMF), alongside the NSA, was called in to intervene.
Wray described the operation as “all hands on deck,” with agents taking control of the botnet’s command and control servers after securing a court order.
The Chinese operators attempted to disrupt the effort by launching a DDoS attack on U.S. authorities and tried to switch to backup systems for the botnet’s control, but were blocked again. Faced with this resistance, China ultimately abandoned the botnet.
“We believe the bad actors finally realized they were up against the FBI and our partners, and with that realization, they essentially dismantled their infrastructure and abandoned their botnet,” said Wray.
In an advisory [PDF] released in tandem with Wray’s speech, it was revealed that the Flax Typhoon group possessed an SQL database containing records on 1.2 million compromised devices, which had either been previously exploited or were part of the active botnet.
The botnet used a customized version of Mirai malware to exploit vulnerabilities in internet-connected devices, installing a payload that communicated with command-and-control servers via TLS on port 443. Investigators identified over 80 subdomains on w8510.com tied to the botnet’s control servers.
Wray also took the opportunity to highlight the FBI’s efforts against ransomware gangs, detailing how the agency has reverse-engineered ransomware over the past two years, developed decryption keys, and helped nearly 1,000 organizations recover their data, saving them over $800 million.
He recalled the case of the Los Angeles Unified School District (LAUSD) ransomware attack during Labor Day weekend in 2022, when the FBI deployed a team within an hour and had critical systems operational before the weekend ended.
Wray made a notable admission during his speech: the FBI is sometimes involved in negotiating with cybercriminals when victims opt to pay ransoms. This is a shift from the agency’s previous hardline stance against paying ransomware demands.
He shared an example from last summer when a U.S. cancer treatment center was crippled by ransomware, jeopardizing patients’ access to life-saving care.
The FBI intervened, deploying both technical experts and crisis negotiators, helping the center negotiate the ransom from $450,000 down to $50,000.
Using the decryption key provided by the attackers, the center was able to resume operations days after the attack. According to Wray, working with the FBI was both a time-saving and lifesaving decision in this case.
The FBI’s involvement in facilitating ransom payments marks a significant shift in its approach, as it previously advocated strongly against paying off cybercriminals.
However, since 2019, the agency has acknowledged that paying ransoms may be an option for some businesses, and its direct involvement in negotiations is a further step in this evolution.