Chinese Hackers Hijack Routers & IoT Devices to Create Botnet: A Cybersecurity Alert 

Do you want to know How Hackers Hijack Routers? A recent joint cybersecurity advisory from the FBI, Cyber National Mission Force (CNMF), and National Security Agency (NSA) has brought alarming news: hackers associated with the People’s Republic of China (PRC) have compromised thousands of internet-connected devices. This includes routers, firewalls, network-attached storage (NAS) devices, and various Internet of Things (IoT) devices, creating a vast botnet. This blog will explore the details of this advisory, the methods used by the hackers, and the recommended steps for organizations and individuals to protect themselves. 

Overview of the Cybersecurity Advisory How Hackers Hijack Routers

On September 18, 2024, the FBI, CNMF, and NSA released a comprehensive advisory detailing the activities of PRC-linked hackers. The advisory underscores the urgent need for device vendors, owners, and operators to enhance the security of their internet-connected devices. With the botnet’s reach extending across multiple continents, the implications of this threat are significant. 

Scope of the Compromise 

The compromised devices range from small office/home office (SOHO) routers to critical network infrastructure such as firewalls and NAS devices. By targeting these devices, the hackers have created a botnet capable of facilitating various malicious activities, including distributed denial of service (DDoS) attacks and unauthorized traffic routing. 

Scale of the Botnet 

As of June 2024, it was reported that the botnet consisted of over 260,000 devices. Victims span North America, South America, Europe, Africa, Southeast Asia, and Australia, highlighting the global nature of this cyber threat.

Methodology of the Attack 

Exploitation of Known Vulnerabilities 

The hackers exploited several known vulnerabilities in devices from prominent vendors like Zyxel, Fortinet, and QNAP. By targeting these weaknesses, they were able to gain unauthorized access to the devices. 

Deployment of Customized Mirai Malware 

Once they compromised the devices, the hackers infected them with a customized version of Mirai malware. This notorious malware is designed to enable remote control of infected devices, allowing attackers to leverage them for various malicious purposes. 

Botnet Management and Command Control 

The botnet is managed by a company based in China called Integrity Technology Group. The advisory revealed that the botnet’s command and control (C2) servers utilize a tiered system of upstream management servers. These servers host a MySQL database containing detailed information about the compromised devices. 

The attackers used specific IP addresses registered to China Unicom to access a management application known as “Sparrow.” This application allows them to interact with the botnet and issue commands to the compromised devices. 

Infrastructure Insights 

The advisory provides extensive details about the botnet’s infrastructure. It includes a list of subdomains associated with the C2 servers, as well as the specific vulnerabilities that were exploited to expand the botnet. Understanding this infrastructure is crucial for cybersecurity professionals aiming to counteract these threats. 

Vulnerabilities Exploited 

The advisory emphasizes the importance of being aware of the specific vulnerabilities that were targeted. Device manufacturers and network defenders are encouraged to take note of these weaknesses to fortify their defenses. 

Recommended Mitigations

In response to this growing threat, the advisory outlines several recommended actions for device owners and network defenders: 

1. Disable Unused Services and Ports 

Many devices come with unnecessary services and open ports that can be exploited. By disabling these, organizations can significantly reduce their attack surface. 

2. Implement Network Segmentation 

Network segmentation involves dividing a network into smaller parts to enhance security. This can limit the spread of malware within the network and contain any potential breaches. 

3. Monitor Network Traffic 

Regularly monitoring network traffic for unusual spikes can help detect botnet activity early. This is essential for timely intervention. 

4. Apply Patches and Updates 

Keeping devices updated with the latest patches is critical in mitigating vulnerabilities. Organizations should have a routine schedule for checking and applying updates. 

5. Use Strong Passwords 

Replacing default passwords with strong, unique passwords can prevent unauthorized access to devices. Password management tools can help in generating and storing complex passwords. 

The Broader Context of State-Sponsored Cyberattacks 

This advisory highlights a growing trend of state-sponsored cyberattacks targeting both private and public sectors. The use of compromised IoT devices in creating botnets demonstrates the evolving landscape of cyber threats. Organizations must remain vigilant and proactive in their cybersecurity strategies. 

Importance of Robust Cybersecurity Measures 

As cyber threats become more sophisticated, robust cybersecurity measures are essential. Organizations should invest in training employees, implementing comprehensive security protocols, and employing advanced monitoring tools. 

Conclusion 

The joint advisory from the FBI, CNMF, and NSA serves as a critical wake-up call for organizations and individuals alike. The compromised botnet, managed by PRC-linked hackers, poses significant risks to data security and system integrity. Immediate action is required to secure devices and prevent further compromises. 

Frequently Asked Questions (FAQs)

​​References 

​​Baran, G. (2024, September 19). Chinese Hackers Hijacked Routers & IoT Devices to Create Botnet, NSA Warns. Retrieved from Cyber Security News: https://cybersecuritynews.com/chinese-hackers-hijacked-routers/amp/-/ 

​