Play Live Radio
Next Up:
0:00
0:00

Inside the investigation into a giant Chinese botnet

AILSA CHANG, HOST:

The Justice Department says it has stopped Chinese hackers from weaponizing a massive army of infected devices to launch cyberattacks. NPR's Jenna McLaughlin spoke to one of the private-sector researchers who helped discover and dismantle the Chinese network.

JENNA MCLAUGHLIN, BYLINE: It all started last year. Michael Horka started sniffing around some suspicious digital activity. He works for the intelligence team at Lumen Technologies. It's a telecommunications company - a part of the internet's backbone. That gives Horka and his team a unique view of web traffic across the internet.

MICHAEL HORKA: So in mid-2023, we started an investigation into some routers we believed to be compromised.

MCLAUGHLIN: The same kind of routers that average people have at home and in their offices to connect to the internet. But once Horka started pulling on the thread, he and his team uncovered a massive zombie army of infected devices - tens of thousands of routers, modems, cameras, DVRs. They were part of what cybersecurity experts call a botnet. They called this one Raptor Train - a fast-moving chain of infected devices making different stops along the way, gobbling things up as it goes. If you're hearing this and getting worried, these hackers aren't interested in the average American's internet browsing habits, but it's still a problem. Hackers want to control a lot of devices to launch attacks elsewhere and steal sensitive information. Horka can explain.

HORKA: They're not interested in your router. They're interested in everyone's routers. They're essentially using your router to then hit, you know, a telecommunications company that they're interested in or a university that they're interested in. Like, whatever it is that they're interested in for the day, they're just using your router as a means to an end.

MCLAUGHLIN: Figuring out those ends was a bit trickier, Horka says. The botnet was impressive. It had three separate tiers - one with all the infected devices and the others built to manage and control them at will. After extensive investigating, Horka's team followed a digital trail of breadcrumbs that led back to China, specifically a group known as Flax Typhoon. Ultimately, the botnet's activities were sponsored by the Chinese state, designed to collect intelligence mostly about Taiwan and the United States.

HORKA: It was primarily targeting of military, government - there were some universities in there. There were some telecoms in there. There was some global targeting, but it was definitely heavy in U.S. and Taiwan.

MCLAUGHLIN: This Chinese hacking group, Flax Typhoon, is just one piece of the puzzle when it comes to the Chinese government's activities. According to intelligence officials and private-sector researchers, another group of Chinese hackers is lurking in American critical infrastructure. They're known as Volt Typhoon. Those hackers are preparing to launch a destructive attack, like shutting off a local power grid - something that might spark chaos or hamper the U.S. military - if China's leaders think it's necessary at some point in the future.

Overall, the U.S. government is struggling to respond to a difficult, complex problem. In the case of the Raptor Train botnet, the Justice Department has managed to disrupt its activity, at least for now, but there are still tens of thousands of vulnerable routers and cameras just waiting to be sucked up into the next botnet.

HORKA: That's a tough problem to solve. It's not one, two or even three vendors. It's, you know, 30 vendors.

MCLAUGHLIN: There are things vendors and internet service providers could do to help tackle the problem, Horka says, like automatically updating vulnerable software or no longer supporting outdated, unfixable devices, for example. In the meantime, exposing and disrupting these networks is a good place to start, Horka concludes. He's ready to keep chasing after Raptors and Typhoons.

HORKA: It helps shine a huge flashlight. We're able to push back.

MCLAUGHLIN: Jenna McLaughlin, NPR News. Transcript provided by NPR, Copyright NPR.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.

Jenna McLaughlin is NPR's cybersecurity correspondent, focusing on the intersection of national security and technology.