NCSC exposes Chinese company running malicious Mirai botnet

The UK’s National Cyber Security Centre (NCSC) and its counterpart Five Eyes agencies have accused a China-based company acting as a front for the state of running a massive botnet comprising over 250,000 internet-connected devices, about 8,500 of them located in the UK.

The compromised devices include enterprise network and security tools such as routers and firewalls, and internet of things (IoT) products such as CCTV cameras and webcams. Unbeknownst to their owners, they are being used to conduct coordinated cyber attacks, including distributed denial of service (DDoS) attacks and malware delivery.

“Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber attacks,” said NCSC operations director Paul Chichester.

“Whilst the majority of botnets are used to conduct coordinated DDoS attacks, we know that some also have the ability to steal sensitive information.

“That’s why the NCSC, along with our partners in Five Eyes countries, is strongly encouraging organisations and individuals to act on the guidance set out in this advisory – which includes applying updates to internet-connected devices – to help prevent their devices from joining a botnet.”

The company in question, Integrity Technology Group, is based out of Beijing and on the surface appears to operate as a legitimate provider of network security services.

Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber attacks

However, according to the joint advisory, which can be read in full here, it has also put its expertise to use in the service of the Chinese government – Integrity’s China Unicom Beijing Province IP addresses are known to have been used to access other operational infrastructure used in cyber attacks on victims in the US.

According to the authorities, the FBI has engaged with a number of these victims and has uncovered activity consistent with the tactics, techniques and procedures (TTPs) favoured by a state-backed advanced persistent threat (APT) actor tracked as Flax Typhoon, but also known as RedJuliett and Ethereal Panda, among other things.

Its botnet uses the infamous Mirai malware family to hijack devices running Linux-based operating systems. Integrity targets these devices via a number of disclosed common vulnerabilities and exposures (CVEs).

Once the Mirai payload has been downloaded and executed, it begins processes on the device to establish a connection with Integrity’s command-and-control (C2) infrastructure using Transport Layer Security (TLS) over port 443. It also gathers and exfiltrates system information, including operating system versions, memory and bandwidth details for enumeration purposes. It also sends requests to “c.speedtest.net” to gather additional internet connection details. Additionally, the investigation found, some of the Mirai payloads are self-deleting to avoid detection.

Meanwhile, upstream, Integrity operates a tier of management servers via TCP port 34125 to run the botnet’s C2 infrastructure. The servers host a MySQL database holding information on the compromised devices that, as of June this year, is thought to contain over 1.2 million records. The servers also host an application known as Sparrow to interact with the botnet – the code for this application is stored in a Git repository and defines various functions that enable users to send tasking and exploitation commands to the compromised devices, among other things. Sparrow can also provide device vulnerability information to users, and a subcomponent called “vulnerability arsenal” lets them exploit traditional networks via the victim devices.

More details on Integrity’s activity, including mitigation guidance, can be found in the full advisory.