A new global cybersecurity threat has been neutralized as law enforcement agencies, including the FBI, Cyber National Mission Force (CNMF), and National Security Agency (NSA), dismantled a botnet network allegedly operated by People's Republic of China-linked actors.
The botnet, which at its peak compromised over 260,000 devices worldwide, had been active since mid-2021, targeting small office/home office (SOHO) routers, firewalls, and Internet of Things (IoT) devices. The devices were infected to support various malicious activities, such as Distributed Denial of Service (DDoS) attacks and other cyber intrusions.
The actors responsible for managing the botnet used infrastructure linked to a Chinese company, Integrity Technology Group (Integrity Tech). This company, tied to the PRC government, maintained control over the compromised devices using IP addresses from China Unicom's Beijing Province Network. The FBI linked this infrastructure to well-known PRC-based cyber espionage groups, including Flax Typhoon, RedJuliett, and Ethereal Panda. The network of compromised devices spanned the globe, with significant concentrations in the U.S., Europe, and Asia. The U.S. alone accounted for approximately 47.9% of the infected devices, with nearly 126,000 affected systems.
The botnet leveraged the Mirai malware, a well-known tool for hijacking IoT devices, which had evolved into a powerful platform for malicious actors after its source code was leaked in 2016. The malware was capable of remotely controlling victim devices, gathering system information, and routing traffic to conceal the identities of the attackers. Investigations revealed that the botnet used over 80 subdomains under the “w8510.com” domain to control its activities.
In response to this significant threat, U.S. law enforcement agencies coordinated with cybersecurity entities around the globe, resulting in a successful operation to disable the botnet. While the affected devices have been cleared of the malware, authorities warn that they remain vulnerable to re-infection unless appropriate security measures, such as firmware updates and proper network segmentation, are implemented.
In a related announcement, the Netherlands' National Cyber Security Center (NCSC) confirmed that several thousand compromised devices were located within the country, primarily SOHO equipment like internet modems and routers. The NCSC echoed the FBI's call for device owners to ensure their systems are up-to-date to avoid future compromises. They stressed the need for ongoing vigilance in managing IoT security, highlighting that these devices are often poorly protected and susceptible to exploitation.
The dismantling of this botnet represents a significant victory in the fight against global cyber threats. However, network defenders are advised to remain proactive. Key mitigations include:
- Disabling unnecessary services and ports (e.g., UPnP and remote access features).
- Implementing strong network segmentation to limit IoT device exposure.
- Regularly updating firmware and software to patch vulnerabilities.
- Changing default passwords to strong, unique ones.
- Monitoring network traffic to detect signs of abnormal activity.
These steps are essential to prevent re-infection and protect against other future botnet operations.
Yea! Good to hear traction made.
With 260,000 compromised devices worldwide, is there a list of the compromised devices IP addresses?