In a substantial blow to Chinese cyber espionage, the FBI led a joint operation to take down Flax Typhoon, a massive botnet responsible for compromising hundreds of thousands of devices worldwide. This botnet, backed by the Chinese government, had been targeting key sectors such as critical infrastructure, media organizations, universities, and government agencies. FBI Director Christopher Wray announced the takedown at the Aspen Cyber Summit, highlighting the significance of the operation in the ongoing fight against state-sponsored cyberattacks.
Flax Typhoon, described as “a step beyond” previous Chinese cyber operations, represented a new and more dangerous level of hacking. Unlike earlier threats that focused primarily on routers, this botnet took over Internet of Things (IoT) devices such as security cameras, video recorders, and data storage systems. Wray explained, “Flax Typhoon’s actions caused real harm to its victims,” disrupting operations and stealing sensitive data from affected organizations.
What Was the Flax Typhoon Botnet Doing?
At its core, the Flax Typhoon botnet was about more than just surveillance. It was designed to create widespread chaos and gain a foothold in vital systems across the globe. According to Black Lotus Labs, a research arm of the U.S. telecommunications company Lumen, Flax Typhoon carried out a series of espionage campaigns over the past four years. The targets included military, government, telecommunications, and defense industry entities, with a particular focus on U.S. and Taiwanese interests. The botnet was so pervasive that it even launched a large-scale scanning effort to identify vulnerabilities in U.S. military assets, including those stationed in Japan.
The botnet’s operators, who worked under the cover of a Chinese company called Integrity Technology Group, managed the attacks through an application called “Sparrow.” This application allowed them to scale their exploitation efforts, remotely manage infected devices, and launch distributed denial of service (DDoS) attacks. DDoS attacks overwhelm a server with traffic to shut it down, causing major disruptions. While Black Lotus Labs did not see Flax Typhoon launching DDoS attacks yet, they believe the botnet preserved this capability for future use, increasing the potential threat to both civilian and military targets.
How the FBI Took It Down
The FBI’s response was swift and decisive. Working with international partners, the FBI executed court-authorized operations to gain control of Flax Typhoon’s infrastructure. Director Wray explained how the operation unfolded: “When the bad guys realized what was happening, they tried to migrate their bots to new servers, and even conducted a DDoS attack against us.” But the FBI, alongside its allies, managed to fend off the attack, identify the new servers in just hours, and continue their takedown efforts. As Wray described it, the attackers “burned down their new infrastructure and abandoned their efforts” once they realized they were up against the FBI and its partners.
By gaining control of Flax Typhoon’s infrastructure, the FBI was able to identify and disinfect thousands of compromised devices. Wray called this a major victory, saying the agency had essentially “pried [the devices] from China’s grip.” This was made possible through a legal procedure known as Rule 41, which allowed the FBI to remove the malware from infected devices and neutralize the botnet’s control systems. This strategy has been used before in other operations against Russian and Chinese cyber threats, but the scale and complexity of Flax Typhoon made it a particularly significant challenge.
Despite the success, Wray was clear that this was just the beginning. “It is just round one of a much longer fight,” he said, emphasizing that the U.S. will continue to face cyber threats from state-sponsored actors like China. As the FBI and its partners work to disrupt these operations, cybercriminals will likely evolve their tactics in an effort to stay ahead.
Who Was Behind the Attack?
The people behind Flax Typhoon operated under the banner of Integrity Technology Group, a company that claims to specialize in cybersecurity. However, the company’s chairman publicly admitted that they have been collecting intelligence and performing reconnaissance on behalf of Chinese government security agencies for years. This revelation confirms what U.S. intelligence officials have long suspected: Chinese private-sector entities are often deeply intertwined with the government’s broader espionage efforts.
Flax Typhoon is the latest in a string of Chinese cyber operations aimed at compromising critical infrastructure. A related group, known as Volt Typhoon, has been targeting U.S. internet routers and other vulnerable systems, specifically in the lead-up to potential conflicts. The U.S. government believes these operations are part of a broader strategy by China to disrupt U.S. infrastructure in the event of a military confrontation, particularly regarding Taiwan. As Director Wray explained, “These kinds of attacks have little to no traditional military value but serve a strategic purpose by positioning China to launch disruptive cyberattacks if a conflict arises.”
ACZ Editor: In a military conflict, creating confusion and panic in a civilian population and causing the government to deploy resources that are not focused on the military objectives is a real advantage and could indeed be decisive. In fact, prior to an attack, these techniques could easily persuade the population that their government is incompetent, in which case the government may lose critical support when it is needed most.
Integrity Technology Group’s operation primarily targeted IoT devices. By hijacking everyday items like security cameras and data storage systems, the botnet was able to establish a large network of compromised devices, giving it immense power to disrupt vital systems. As of June 2024, the botnet had infected over 260,000 devices, with nearly half located in the United States alone. The FBI’s advisory stated that Integrity Technology Group controlled the botnet using Chinese internet protocol addresses provided by China Unicom Beijing Province Network.
The Scope of the Damage
The Flax Typhoon botnet had an extensive global reach, affecting devices in North America, South America, Europe, Africa, Southeast Asia, and Australia. U.S. officials have estimated that the botnet compromised over 126,000 devices in the United States, with Vietnam being the second-most affected country at 21,100 devices. The targets were diverse, ranging from large corporations to small businesses, and included a number of government agencies.
In California, one organization faced a serious financial crisis after discovering that Flax Typhoon had infected its systems. According to Wray, the organization had to initiate an “all-hands response” to remove the malware, leading to significant financial losses. Although the full extent of the damage caused by Flax Typhoon remains unclear, it is evident that the botnet’s activities caused real and lasting harm to its victims.
A Global Effort to Combat Cyber Threats
The success of the Flax Typhoon takedown highlights the importance of international cooperation in the fight against cybercrime. The FBI’s efforts were supported by cybersecurity agencies from the U.S., Australia, Canada, New Zealand, and the United Kingdom, who issued a joint advisory warning of the botnet’s potential dangers. These nations have pledged to continue working together to dismantle future threats and to strengthen the digital defenses of critical infrastructure.
Anne Neuberger, the U.S. Deputy National Security Advisor for Cyber and Emerging Technologies, emphasized that increasing the costs of Chinese cyber operations is a key component of the U.S. strategy. The goal is to make it “riskier, costly, and harder for the Chinese to operate,” said Neuberger. The Biden administration is also working to boost the cybersecurity of government networks and critical infrastructure, aiming to prevent future attacks before they can cause significant damage.
The fight against cyberattacks like Flax Typhoon is far from over, but the FBI’s success demonstrates that with the right tools, strategies, and partnerships, even the most sophisticated threats can be neutralized. As Director Wray warned, “The theme is disruption, prevention, putting victims at the center of our strategy.” The dismantling of Flax Typhoon is a clear example of this approach, putting cybercriminals on notice that their actions will not go unchallenged.
