An internet router in a living room, a surveillance camera in a shop or a connected hard drive in an office. These everyday devices can be remotely transformed into computer attack tools. This is precisely what suspected actors linked to China have done, compromising thousands of connected devices to create a global infrastructure for cyber attacks.

According to an initial alert from Microsoft in May 2023 and a joint alert published in 2024 by several Western security agencies, including the FBI and NSA, these hackers infiltrated home routers, networked storage devices and other connected objects to build a vast network of hacked devices. Once compromised, these devices become relays controlled remotely by the attackers, capable of launching computer attacks or masking the origin of other malicious operations.

This type of infrastructure, known as a botnet, functions like an army of hijacked machines. Each hacked device executes instructions sent by the network operators, making it possible to coordinate large-scale computer attacks or penetrate other systems. In the case identified by the US authorities, this network included more than 260,000 compromised devices spread across several continents.

Fireworks of judicial and police procedures

Technical investigations by the US authorities led to the identification of a Chinese company, Integrity Technology Group, accused of having controlled and managed this infrastructure since 2021. In particular, investigators established that the servers used to drive this botnet enabled hacked devices to be directed and various cyber operations to be launched.

These activities were also associated with a group of cyber actors known by several names in the cybersecurity industry, including Flax Typhoon, suspected of being linked to the Chinese cyber operations ecosystem. The compromised devices could be used to conduct denial-of-service attacks, disguise the origin of cyber operations or serve as relays to penetrate targeted networks.

In response to this threat, the US authorities have launched several legal and technical operations to disrupt the network infrastructure. Washington has also begun sanctioning entities and individuals involved in these activities under its legal framework targeting malicious cyber attacks.

More than 65.000 aircraft in six Member States between 2022 and 2023

Several years after these operations were identified, the European Union has decided to take action. On Monday 16 March, the Council of the European Union announced sanctions against three entities and two individuals involved in cyber attacks targeting EU Member States and partners.

Organisations targeted include Integrity Technology Group, accused of providing tools to compromise connected devices in Europe and around the world. According to the Council, these technologies contributed to the hacking of more than 65,000 devices in six Member States between 2022 and 2023.

A second Chinese company, Anxun Information Technology, has also been placed on the EU sanctions list for providing hacking services targeting critical infrastructure and functions. The two Chinese nationals sanctioned are the co-founders of this company and were allegedly involved in these operations. The measures adopted by the European Union include the freezing of assets held in the EU and a ban on entry to European territory for the individuals concerned.