FBI says it has disrupted major Chinese hacking operation that threatened US critical infrastructure

The FBI has used a court order to seize control of a network of hundreds of thousands of hacked internet routers and other devices that Chinese government-linked hackers were using to threaten critical infrastructure in the US and overseas, FBI Director Christopher Wray said Wednesday.

“It is just one round in a much longer fight,” Wray said in a speech at the Aspen Cyber Summit in Washington, DC. “The Chinese government is going to continue to target your organizations and our critical infrastructure.”

The massive web of hacked devices — known as a botnet — was a menace that the Chinese hackers could have used to conduct targeted cyberattacks on US companies or government agencies, according to an advisory released by the US and its “Five Eyes” allies (the English-speaking alliance that includes Australia, Canada, New Zealand and the United Kingdom). As of June, the botnet included over 260,000 hacked devices from all over the world, from North and South America to Australia, according to US officials. Those hacked devices ranged from webcams to DVRs to routers, and about half of them were located in the US, according to Wray.

A spokesperson for the Chinese Embassy in Washington called the US allegations “groundless” and accused the US government of conducting cyberattacks against China.

It’s the latest tit-for-tat in the often-tense relations between US and China in cyberspace. The US government has long warned that another Chinese government-backed hacking group has been lurking in US transportation and communication networks, waiting to use that access to disrupt any US response to a potential Chinese invasion of Taiwan.

That Chinese hacking unit is preparing to “wreak havoc and cause real-world harm” to the US, Wray told Congress in January.

A tool of choice

The botnet targeted by the FBI and its allies on Wednesday was an active menace, Wray said in his speech.

The botnet caused “an all-hands-on deck cybersecurity incident” for one unnamed California-based organization, causing “significant financial loss,” the FBI director said.

But Wednesday’s takedown was more about what the botnet could have done than what it did. The army of zombie computers has been a quiet and looming threat to US government networks for many months, according to experts. In late December 2023, the botnet’s operators “conducted extensive scanning efforts” of US military and other government agencies, according to US tech firm Lumen Technologies, which investigated the activity.

Botnets are a tool of choice for both cybercriminals and state-backed hackers because users around the world are often unaware that their computers have been hijacked for scamming or espionage. The FBI said in February that it had helped disrupt a network of over 1,000 hacked internet routers that Russia’s military intelligence agency was allegedly using for cyber espionage operations against the United States and its European allies.

The Chinese botnet targeted on Wednesday had an array of capabilities, including the ability to conducted tailored cyberattacks using the devices it had compromised, according to Lumen researchers.

Lumen researchers are watching for signs that the Chinese hackers will resurrect the botnet. But for now, “we assess that the botnet has been taken offline due to a combination of law enforcement efforts and null routing as of September 18,” Danny Adamitis, principle information security engineer at Lumen’s Black Lotus Labs threat intelligence division, told CNN.

Null routing is a process that internet technology providers can use to stop data from being sent to a specific IP address.

A Chinese company named Integrity Technology Group managed the botnet for the last three years, according to US officials. CNN has requested comment from the company.

The Chinese tech firm is “involved in many of China’s most important programs and efforts to improve its hacking capabilities,” Dakota Cary, a consultant at security firm SentinelOne who focuses on China, told CNN. “The naming of the company is significant as it demonstrates allied governments’ visibility into China’s operations, as well as enabling researchers to further investigate the company.”

For more CNN news and newsletters create an account at CNN.com