Full Report
The Treasury Department said Integrity Technology provided Flax Typhoon actors with infrastructure between the summer of 2022 and fall of 2023 — with the state-backed groups sharing and receiving information from the company.
Analysis Summary
# Threat Actor: Flax Typhoon
## Attribution & Identity
State-sponsored hacking group operating under the direction of the People’s Republic of China’s (PRC) Ministry of State Security (MSS).
* **Associated Entity/Facilitator:** Integrity Technology Group (also known as Yongxin Zhicheng), a major PRC government contractor and cybersecurity firm responsible for providing infrastructure and developing/controlling botnets used by the group.
* **Internal Name:** PRC-based hackers working for Integrity Tech operating under the alias "Flax Typhoon."
## Activity Summary
Flax Typhoon is a state-backed group known for conducting extensive cyber operations targeting critical infrastructure globally.
* **Support Structure:** Integrity Technology provided dedicated infrastructure for Flax Typhoon actors between Summer 2022 and Fall 2023, sharing and receiving information. The FSB disruption in September targeted a botnet developed and controlled by Integrity Technology that was used by Flax Typhoon.
* **Historical Focus:** Initial public identification traced the group's activities as being at the forefront of attacks targeting Taiwan since 2021.
* **Recent Operations:** The group was confirmed to be targeting critical infrastructure in the United States and overseas.
## Tactics, Techniques & Procedures
The actor relies heavily on compromised consumer IoT devices to build large-scale botnets for command and control.
* **Botnet Operation:** Infected over 260,000 consumer devices (including IoT hardware like cameras, video recorders, and storage devices) to establish a global botnet.
* **Infrastructure Control:** Integrity Technology developed an online application, prominently labeled "KRLab," allowing customers to log in and control infected victim devices via a menu of malicious commands using a tool named "vulnerability-arsenal."
* **Data Storage:** A database used for controlling the botnet was found containing over 1.2 million records of compromised devices.
* **Disruption:** Tactics were detailed in a joint advisory published by the FBI and NSA in September 2024.
## Targeting
* **Sectors:** Critical infrastructure, universities, government agencies, telecommunications providers, media organizations, critical manufacturing, and information technology organizations.
* **Geography:** United States and overseas, with initial activity noted in Taiwan and victims seen across Southeast Asia, North America, and Africa.
* **Victims:** Universities, government agencies, telecommunications providers, and media organizations globally.
## Tools & Infrastructure
* **Malware Families Used:** Botnet malware installed on consumer IoT devices.
* **Infrastructure:** Botnet infrastructure hosted on compromised consumer hardware. The disruption campaign involved taking control of their internet infrastructure.
* **Internal Tools:** "vulnerability-arsenal" used for executing malicious commands via the KRLab control panel.
## Implications
Flax Typhoon, supported by a major PRC contractor (Integrity Technology), represents a significant, persistent threat vector leveraging easily accessible consumer and IoT compromises to build large-scale, state-directed operational infrastructure for targeting sensitive sectors, including critical infrastructure within the United States. The group's deep connections to the MSS indicate high-level state sponsorship.
## Mitigations
* Implement defensive measures against tactics detailed in the joint FBI/NSA advisory regarding Flax Typhoon and Integrity Technology.
* Secure or isolate Internet of Things (IoT) hardware, cameras, and storage devices, as these form the primary basis of the group's botnet.
* Review network defenses against state-sponsored intrusion targeting critical infrastructure components.