The recent issue of sanctions imposed by the US Department of Treasury’s Office of Foreign Assets Control (OFAC) against a Beijing cybersecurity company called Integrity Technology Group (Integrity Tech) has shed light on the nefarious activities of a Chinese cyberespionage group known as Flax Typhoon. According to the OFAC, Integrity Tech allegedly played a significant role in providing the computer infrastructure used by Flax Typhoon during their cyber operations between 2022 and 2023.
Moreover, a joint advisory by the FBI, NSA, and intelligence agencies from Canada, Australia, and the UK revealed that Integrity Tech not only assisted Flax Typhoon in their cyber activities but also maintained the command-and-control infrastructure for a massive botnet comprising more than 260,000 compromised IoT devices. The advisory highlighted the company’s ties to the Chinese government, utilizing China Unicom Beijing Province Network IP addresses to control and manage the botnet and conduct computer intrusion activities against US victims.
Flax Typhoon, also known as RedJuliett and Ethereal Panda, has been identified as a Chinese state-sponsored cyberespionage group operating since 2021. Their malicious activities, targeting US organizations in critical infrastructure sectors, have raised alarms in the cybersecurity community. OFAC’s sanctions aim to block all assets of Integrity Tech that are under US jurisdiction or controlled by US entities, prohibiting any commercial or financial transactions with the company or any entities in which Integrity Tech has over 50% ownership.
The Flax Typhoon global IoT botnet, based on Mirai malware for Linux-based IoT devices, has been in operation since at least 2021. The botnet, which uses known exploits to compromise a variety of devices, had over 260,000 active nodes as of June, with a database listing over 1.2 million compromised devices, including a significant number in the US. The botnet’s command-and-control servers hosted an application called Sparrow, allowing users to interact with the network and launch DDoS attacks or exploit other devices on the same networks.
Flax Typhoon’s activities have not been limited to a specific region, with compromised networks detected in North America, Europe, Africa, and Asia. However, the group maintains a particular focus on Taiwan, reflecting China’s geopolitical interests in the region. Following a recent security breach at the Treasury Department attributed to a state-sponsored Chinese APT group, concerns over cybersecurity vulnerabilities and the need for robust defense mechanisms have been heightened.
The implications of the OFAC sanctions and the revelations regarding Flax Typhoon’s activities underscore the ongoing threats posed by state-sponsored cyberespionage groups. The collaborative efforts of international intelligence agencies and law enforcement bodies are crucial in addressing these cybersecurity challenges and safeguarding critical infrastructure and sensitive information from malicious actors. Moving forward, enhanced cybersecurity measures and proactive defense strategies will be essential in mitigating cyber threats and protecting national security interests.