FORT MEADE, Md. - The National Security Agency (NSA) joins the Federal Bureau of Investigation (FBI), the United States Cyber Command’s Cyber National Mission Force (CNMF), and international allies in releasing new information about People’s Republic of China (PRC)-linked cyber actors who have compromised internet-connected devices worldwide to create a botnet and conduct malicious activity.
The Cybersecurity Advisory (CSA) released by the agencies, “People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations,” highlights the threat posed by these actors and their botnet, a network of compromised nodes positioned for malicious activity.
“The botnet incorporates thousands of U.S. devices with victims in a range of sectors,” said Dave Luber, NSA Cybersecurity Director. “The advisory provides new and timely insight into the botnet infrastructure, the countries where compromised devices are located, and mitigations for securing devices and eliminating this threat.”
Device vendors, owners, and operators are encouraged to update and secure their devices – particularly older devices – from being compromised and joining the botnet. Cybersecurity companies are also urged to use the CSA to help identify malicious activity.
Compromised internet-connected devices include small office/home office (SOHO) routers, firewalls, network-attached storage (NAS), and Internet of Things (IoT) devices, such as webcams, DVRs, and IP cameras. The actors create a botnet from these devices, which can be used to conceal their online activity, launch distributed denial of service (DDoS) attacks, or compromise U.S. networks.
As of June 2024, the botnet consisted of over 260,000 devices in North America, Europe, Africa, and Southeast Asia, according to the CSA.
NSA is releasing this joint advisory to help National Security Systems, Department of Defense, and Defense Industrial Base networks mitigate these cyber threats. The authors of the CSA recommend the following mitigations:
- Regularly apply patches and updates, using automatic updates from trusted providers when available.
- Disable unused services and ports, such as automatic configuration, remote access, or file sharing protocols, which threat actors may abuse to gain initial access or to spread malware to other networked devices.
- Replace default passwords with strong passwords.
- Implement network segmentation with the principle of least privilege to ensure IoT devices within a larger network pose known, limited, and tolerable risks.
- Monitor for high network traffic volumes to detect and mitigate DDoS incidents.
- Plan for device reboots to remove non-persistent malware.
- Replace end-of-life equipment with supported devices.
Read the full report here.
Visit our full library for more cybersecurity information and technical guidance.
NSA Media Relations
MediaRelations@nsa.gov
443-634-0721