The Justice Department announced a court-authorized law enforcement operation that disrupted a botnet comprising over 200,000 consumer devices in the United States and globally. According to court documents unsealed in the Western District of Pennsylvania, the botnet was infected by People’s Republic of China (PRC) state-sponsored hackers associated with Integrity Technology Group, a Beijing-based company known as “Flax Typhoon” in the private sector.
The malware targeted various consumer devices such as small-office/home-office (SOHO) routers, internet protocol (IP) cameras, digital video recorders (DVRs), and network-attached storage (NAS) devices. These infected devices were connected into a botnet controlled by Integrity Technology Group to conduct malicious cyber activities disguised as routine internet traffic. The operation took control of the hackers’ computer infrastructure and sent disabling commands to the malware on the infected devices. During this process, there was an attempt to interfere with the FBI’s efforts through a distributed denial-of-service (DDoS) attack targeting their operational infrastructure, which ultimately failed.
Attorney General Merrick B. Garland stated, “The Justice Department is zeroing in on the Chinese government-backed hacking groups that target the devices of innocent Americans and pose a serious threat to our national security.” He added that this was another instance where PRC-backed hackers' botnets were dismantled. Deputy Attorney General Lisa Monaco emphasized an all-tools approach to disrupting cyber criminals: “Today should serve as a warning to cybercriminals preying on Americans – if you continue to come for us, we will come for you.”
Assistant Attorney General Matthew G. Olsen of the National Security Division highlighted that this was the second time this year such disruption had occurred: “Our message to these hackers is clear: if you build it, we will bust it.” FBI Deputy Director Paul Abbate noted that this operation demonstrated their commitment to protecting victims and exposing criminal hacking campaigns.
U.S. Attorney Eric G. Olshan for the Western District of Pennsylvania remarked on the scale and aggressiveness of PRC state-sponsored hackers: “This court-authorized operation disrupted a sophisticated botnet designed to steal sensitive information and launch disruptive cyber attacks.” Special Agent in Charge Stacey Moy of the FBI San Diego Field Office added that Integrity Technology Group openly sold its customers tools for hacking into consumer devices worldwide.
Court documents revealed that Integrity Technology Group developed an online application called "KRLab," allowing users to control infected victim devices using malicious commands from a tool named "vulnerability-arsenal." The FBI's investigation corroborated Microsoft Threat Intelligence's findings about Flax Typhoon targeting various sectors since 2021.
A cybersecurity advisory detailing Integrity Technology Group's tactics was published by multiple agencies including the FBI and international partners from Australia, Canada, New Zealand, and the United Kingdom. The government's disabling commands were tested extensively before deployment and did not affect legitimate device functions or collect content information from infected devices.
The domestic disruption effort was led by several U.S. entities including the FBI’s San Diego Field Office and Cyber Division, with assistance from French authorities and Lumen Technologies’ Black Lotus Labs which initially identified this botnet named Raptor Train in July 2023.
Individuals who suspect their computers or devices are compromised are advised to visit the FBI’s Internet Crime Complaint Center or report online to CISA.
The investigation into Integrity Technology Group’s activities continues.