China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations

A joint cybersecurity advisory revealing that cyber actors linked to the People’s Republic of China (PRC) have compromised thousands of internet-connected devices.

China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations
The original image was generated by OpenAI's DALL-E and edited by the author. Source: OpenAI (September 2024)

Introduction

On September 18, 2024, the Federal Bureau of Investigation (FBI), Cyber National Mission Force (CNMF), and the National Security Agency (NSA) issued a joint cybersecurity advisory revealing that cyber actors linked to the People’s Republic of China (PRC) have compromised thousands of internet-connected devices. These devices include routers, firewalls, and Internet of Things (IoT) systems, forming a botnet used for Distributed Denial of Service (DDoS) attacks and to conceal the identities of attackers. The compromised botnet, operated by a PRC-based company known as Integrity Technology Group, has been active since mid-2021.

Report Overview

The advisory explains how Integrity Technology Group controls this botnet, which consists of over 260,000 compromised devices. These devices include small office/home office (SOHO) routers, network-attached storage (NAS), and various IoT devices, such as webcams and CCTV cameras. The malware used to form the botnet is derived from the Mirai family, notorious for targeting Linux-based systems, particularly outdated or unsupported hardware.

Technical Breakdown

A botnet operates by compromising internet-connected devices with malware that provides unauthorized remote access. Attackers use this access to control these devices and can deploy them in coordinated attacks. The malware connects infected devices to a command-and-control (C2) server using Transport Layer Security (TLS) on port 443. The C2 server collects information about the infected devices, such as their operating system, memory, and bandwidth, enabling attackers to assign roles to the devices within the botnet.

The botnet run by Integrity Tech is composed of devices distributed globally, with 47.9% located in the United States. While many of the compromised devices are end-of-life, some still receive vendor support, making this an urgent concern for device owners and network administrators.

Insights and Analysis

Paul Chichester, NCSC Director of Operations, stressed the importance of patching and securing devices to prevent them from being exploited as part of botnets. The botnet described in the report poses significant risks, particularly in its ability to execute DDoS attacks and steal sensitive information.

The joint advisory also highlights the vulnerabilities in IoT devices and other internet-connected hardware. Many of these systems, especially those with outdated firmware, become prime targets for botnet operators. Integrity Tech’s botnet has maintained between tens to hundreds of thousands of compromised devices, positioning itself as a powerful tool for cyber attackers.

Preventative Actions:

  1. Patch Internet-Connected Devices: Ensure all devices receive firmware and security updates.
  2. Change Default Credentials: Use strong passwords for administrative access.
  3. Monitor Network Traffic: Set up alerts for unusual traffic patterns indicating compromised devices.
  4. Disable Unused Services: Turn off unnecessary features like remote access to minimize attack surfaces.

By following the mitigation advice in this advisory, organizations and individuals can reduce the risk of their devices becoming part of a botnet and contributing to cyberattacks.

Indicators of Compromise (IOCs)

A comprehensive list of indicators can be found in to the full PDF report.

MITRE ATT&CK TTPs

TacticTechniqueIDDescription
Initial AccessExploit Public-Facing ApplicationT1190The botnet leverages known vulnerabilities in IoT devices to gain access.
Command and ControlEncrypted ChannelT1573The botnet uses TLS on port 443 to establish communication with the C2 server.
Command and ControlRemote Command ExecutionT1105Malware allows unauthorized remote control of compromised devices.

References

Joint cyber security advisory: People’s Republic of China-linked actors compromise routers and Internet-connected devices for botnet - Canadian Centre for Cyber Security
Joint cyber security advisory: People’s Republic of China-linked actors compromise routers and Internet-connected devices for botnet
NCSC and partners issue advice to counter China-linked campaign targeting thousands of devices
Joint advisory highlights the risk of malicious cyber actors exploiting internet-connected devices and gives mitigation advice.