The Surging Tide of Botnets
Imagine waking up one morning to find your humble home router has been drafted into a global cyber army, without you even noticing. This isn’t the start of a sci-fi thriller—it’s a reality many organizations and individuals are facing today. A joint advisory issued by the NSA, FBI, and allied cyber authorities reveals that Chinese-linked cyber actors have built expansive botnets by compromising edge devices like routers, firewalls, and IoT gadgets—all with the objective of conducting a global espionage campaign and disruptive attacks.
These actors, often labeled with names like Flax Typhoon, leverage compromised devices to conduct Distributed Denial of Service (DDoS) attacks, disguise their identities, and potentially prepare for more aggressive future exploits. With over 260,000 compromised devices worldwide, this is no small issue—it’s a systemic problem with implications for individual security and global stability.
The Landscape of Compromised Devices
What Are Edge Devices and Why Are They Vulnerable?
Edge devices refer to any piece of hardware that manages data at the boundary between two networks—think routers, VPN endpoints, and IoT devices. These devices are “plug-and-play,” optimized for easy installation, but they frequently lack robust security features. Their convenience is also their Achilles’ heel.
In the rush to create smart homes and connected offices, the cybersecurity of these devices has often been treated like an afterthought. The underlying problem? Weak security protocols, default passwords, and outdated firmware. According to JUMPSEC’s recent analysis, the lack of default security in such devices turns them into prime candidates for botnet campaigns like those orchestrated by PRC-backed actors.
A Case Study: The PRC-Linked “Oriole” Campaign
One ongoing example of Chinese-linked cyber activity is the “Oriole” campaign, which leverages edge devices to create a botnet targeting enterprise networks globally. The goal appears to be intelligence gathering, positioning for future exploitation, and possibly setting the stage for geopolitical disruption.
What makes “Oriole” especially concerning is the variety of uses these botnets can be put to. Whether it’s financial gain—through cryptomining or malware distribution—or more strategic objectives, such as causing disruption through DDoS attacks, botnets are versatile tools in a cyber actor’s arsenal. The diverse motivations mean nearly anyone is at risk—from individuals with insecure home networks to multinational corporations.
Mirai: The Dark Legacy
The malware often used to recruit these devices into botnets is based on the notorious Mirai source code. First seen in 2016, Mirai was responsible for some of the largest DDoS attacks in history. Today, PRC-linked actors have evolved its code, customizing it to exploit specific vulnerabilities in edge devices to expand their reach.
Flax Typhoon and Living Off the Land
Interestingly, not all PRC-linked groups rely exclusively on traditional malware. Microsoft observed that Flax Typhoon, a group targeting Taiwanese organizations, primarily relies on “living-off-the-land” techniques. This approach makes use of legitimate tools, making detection and mitigation particularly challenging. Instead of planting malware, these actors repurpose tools already present on the devices for malicious ends—a bit like turning someone’s own toolshed against them.
The Human Angle: Why Should You Care?
For many readers, the idea of state-sponsored actors using botnets might evoke a detached sense of concern—after all, aren’t governments and corporations the real targets? But remember, many of these compromised devices are ordinary home routers and IoT gadgets. Each of those devices belongs to someone—perhaps a family, a small business, or a school.
The more compromised devices in our neighborhoods, the greater the potential for collateral damage when a DDoS attack happens or when a botnet is leveraged for other malicious activities. It’s a bit like leaving your window open while you sleep. You might be fine tonight, but your neighbor might end up getting robbed—thanks to the vulnerability you’ve allowed to persist.
The Legislative Response: The UK’s Product Security and Telecommunications Infrastructure Act
Recognizing the scale of this issue, the UK introduced the Product Security and Telecommunications Infrastructure Act of 2022. The act aims to regulate the security of consumer-connectable devices by implementing security standards that manufacturers must meet. This includes bans on default passwords and mandatory compliance with regular software updates. Such legislative moves mark an important step in tackling the issue, although effective enforcement remains a challenge.
Key Strategies for Mitigation: What Can Organizations Do?
To avoid turning your network into a potential weapon for cybercriminals, it’s critical to employ strong mitigation tactics. The advisory from NSA and its partners offers some practical guidance:
1. Patch and Update Regularly
The simplest yet most neglected security measure—keeping devices up to date. Most of the compromised devices were running outdated software. Using automatic updates, when possible, is a no-brainer.
2. Network Segmentation
Network segmentation is an excellent way to keep potentially compromised devices isolated. If an IoT sensor or a webcam falls prey to an attacker, segmentation ensures that the attacker cannot hop across your entire network.
3. Disable Unnecessary Features
Many IoT devices have features like Universal Plug and Play (UPnP) that can be exploited if not properly secured. Disabling these features, unless absolutely necessary, will reduce attack surfaces.
4. Use Strong, Unique Passwords
Default passwords remain a favorite attack vector. Use strong, unique passwords for each device and consider multi-factor authentication if available.
5. Scheduled Device Reboots
Sometimes, the simplest fixes are the most effective. Rebooting devices can, in many cases, terminate temporary malware sessions and cut off botnet connections. It’s not a silver bullet, but every little bit helps.
Challenging the Narrative: Is Edge Device Security the Wrong Focus?
While the advisories emphasize securing edge devices and implementing network-level mitigations, a broader question arises: Are we overly focused on securing individual devices, while ignoring the systemic problem?
The truth is, manufacturers still fail to deliver secure products, leaving the burden of cybersecurity on users who may lack the expertise or time to take proper precautions. Governments are playing catch-up with legislation like the IoT Cybersecurity Improvement Act of 2020 in the U.S. and the UK’s Product Security Act. However, enforcement has been slow, and the scope of these regulations remains limited.
Instead, more effort should perhaps be placed on empowering ISPs to manage threats. If ISPs could enforce network-level security for vulnerable edge devices, many of these issues could be prevented before they reach end-users. This sort of “Internet security from the core outwards” would alleviate the burden on individuals and businesses alike.
FAQs
What is an Edge Device?
Edge devices are physical hardware that connect internal networks with external ones. Common examples include routers, VPN endpoints, and IoT devices.
Why Are Edge Devices Targeted by Botnets?
They’re popular targets because they often lack strong default security and are deployed with minimal user intervention, meaning they’re less likely to be updated.
What is the Mirai Botnet?
Mirai is malware that turns networked devices into remotely controlled “bots.” These bots are used to execute large-scale network attacks, primarily DDoS.
Who is Flax Typhoon?
Flax Typhoon is a nation-state threat actor based in China, targeting mostly Taiwanese organizations using legitimate software to remain undetected.
What Should I Do to Secure My Devices?
Basic steps include updating firmware, changing default passwords, segmenting networks, and scheduling device reboots.
Conclusion: Securing Our Connected Future
It’s time to accept that every connected device—from your Wi-Fi-enabled refrigerator to your office’s VPN gateway—is part of a larger ecosystem. To secure the whole, we must secure the parts. As the NSA and allies have pointed out, no one is immune from these botnets. Simple, consistent efforts can ensure that your devices aren’t unknowingly recruited into a botnet army.
To stay ahead of these threats, subscribe to our blog and join the Guardians of Cyber community. Let’s work together to make sure that while our homes and offices get smarter, our cybersecurity grows smarter too.
