FBI Foils Massive Chinese Cyber Attack on U.S. Critical Infrastructure

The FBI has obtained a court order to take control of a network comprising hundreds of thousands of hacked internet routers and other devices utilized by Chinese government-linked hackers to threaten critical infrastructure both in the U.S. and abroad, FBI Director Christopher Wray announced on Wednesday.

In a speech at the Aspen Cyber Summit in Washington, D.C., Wray emphasized that this action is “just one round in a much longer fight,” warning that the Chinese government will continue to target U.S. organizations and critical infrastructure.

The extensive network of hacked devices, referred to as a botnet, posed a significant threat, as the Chinese hackers could have leveraged it for targeted cyberattacks on U.S. companies or government entities. An advisory from the U.S. and its “Five Eyes” allies—comprising Australia, Canada, New Zealand, and the United Kingdom—indicated that as of June, the botnet contained over 260,000 compromised devices worldwide. These included a variety of devices such as webcams, DVRs, and routers, with about half of them located in the United States, according to Wray.

A spokesperson for the Chinese Embassy in Washington dismissed the U.S. allegations as “groundless” and accused the U.S. government of conducting cyberattacks against China. This exchange highlights the ongoing tensions between the two nations in cyberspace. The U.S. government has consistently warned about a Chinese government-backed hacking group that has infiltrated U.S. transportation and communication networks, potentially aiming to disrupt any U.S. response to a possible Chinese invasion of Taiwan. FBI Director Christopher Wray testified in January that this hacking unit is preparing to “wreak havoc and cause real-world harm” to the U.S.

The botnet targeted by the FBI and its allies on Wednesday was described by Wray as an active threat. He noted that it had caused a significant cybersecurity incident for an unnamed California-based organization, leading to considerable financial losses. However, the focus of Wednesday’s operation was more on the potential damage the botnet could have inflicted rather than what it had already done. Experts indicated that this botnet had been a looming threat to U.S. government networks for several months, with operators conducting extensive scans of U.S. military and government agencies as early as late December 2023.

Botnets are commonly used by both cybercriminals and state-sponsored hackers, as many users remain unaware that their devices have been hijacked for illicit purposes. In February, the FBI reported its role in disrupting a network of over 1,000 hacked internet routers allegedly used by Russia’s military intelligence for cyber espionage against the U.S. and its European allies.

The Chinese botnet, which was targeted on Wednesday, had various capabilities, including the ability to launch tailored cyberattacks using compromised devices. Lumen Technologies researchers are monitoring the situation to see if the Chinese hackers will revive the botnet, but currently assess that it has been taken offline due to law enforcement efforts and null routing as of September 18. Null routing is a technique that prevents data from being sent to a specific IP address.

U.S. officials indicated that the botnet was managed by a Chinese company called Integrity Technology Group for the past three years. CNN has reached out to the company for comment. Dakota Cary, a consultant at security firm SentinelOne, noted the significance of naming the company, as it underscores allied governments’ awareness of China’s operations and allows researchers to investigate further.