Edition Zdnet reported that Chinese law enforcement authorities arrested a criminal group that ran a botnet of more than 200,000 infected sites and used it for DDoS attacks. This is the first large-scale operation by the Chinese authorities against a large DDoS platform, and the largest DDoS botnet that local authorities have ever shut down.
Back in 2016, when the source code of the Mirai Malvari leaked to the network, Chinese hackers began to massively create huge botnets, which they then leased to other users through special services. In 2017, Cisco Talos notedthat the rental market for such botnets in China is growing rapidly. Then the researchers wrote that the Chinese authorities are also to blame for this, who do not pay attention to this activity.
Soon after, Chinese botnet operators began to expand their horizons. They stopped relying solely on infecting IoT devices and using Mirai. Botnets have begun exploiting vulnerabilities in web servers and frameworks to capture vulnerable systems. As a result, DDoS botnets have become an even greater threat.
Obviously, the moment came when the Chinese authorities could no longer ignore what was happening. The operation against a large botnet began in August 2018. According to local media, police from Jiangsu province were notified of a large number of hacked servers on the Xuzhou Telecom network. These servers were infected with backdoors, which allowed hackers to remotely control them. A subsequent investigation helped identify a botnet that exploited vulnerabilities to inject malicious code into more than 200,000 sites, including numerous Chinese portals and government resources.
Now, more than a year later, Chinese police arrested 41 suspects in 20 cities, including two botnet operators, and also confiscated 10 million yuan ($ 1.4 million) from the suspects.
It turned out that the botnet was also used to send spam via hacked sites, display malicious ads and cryptocurrency mining. However, according to local media reports, the main task of the botnet was still DDoS attacks, some of which reached a capacity of 200 Gb / s.