Critical Infrastructure Security
,
Cyberwarfare / Nation-State Attacks
,
Endpoint Security
Chinese Botnet Targets US Critical Infrastructure and Taiwan
A Chinese state-sponsored botnet called Raptor Train has infected more than 260,000 IoT and office network devices to target critical infrastructure globally. The hackers used zero-days and known vulnerabilities to compromise more than 20 different types of devices to expand their botnet.
See Also: 2024 CISO Insights: Navigating the Cybersecurity Maelstrom
Raptor Train, a botnet linked to the Chinese threat actor Flax Typhoon, remained hidden for years, said Louisiana-based Lumen Technologies’ threat intelligence group, Black Lotus Labs, in a report.
Raptor Train began operations in May 2020, comprising routers, modems, IP cameras, NAS servers and NVR/DVR devices. It has now evolved into one of the largest-known Chinese state-sponsored IoT botnets, affecting military, government, telecommunications, defense industrial base and higher education entities in the U.S. and Taiwan.
At its peak in June 2023, Raptor Train actively compromised over 60,000 devices. By mid-2023, the botnet had ballooned to over 200,000 infected networking devices, and the latest estimates suggest it now controls over 260,000 devices.
Black Lotus Labs’ report said the botnet has a sophisticated command-and-control infrastructure, managed through an enterprise-grade control system known as Sparrow, which is capable of overseeing a large volume of compromised nodes while automating tasks such as vulnerability exploitation, remote command execution and data collection.
The botnet’s primary implant, named Nosedive, is a custom variant of the Mirai malware, designed to target devices with known vulnerabilities. These infections remain memory-resident, making them difficult to detect and more resilient to traditional defenses.
Operators of Raptor Train manage their network using a multitiered approach: Tier 1 devices are consumer-grade hardware, while Tier 2 and Tier 3 nodes consist of dedicated servers that oversee payload distribution, exploit management and botnet command execution.
The operators use more than 20 different device types to expand their botnet, leveraging zero-days and known vulnerabilities. Affected devices are products of well-known manufacturers such as TP-Link, ASUS, DrayTek, Zyxel, Hikvision and Synology.
The large, ever-changing pool of devices ensures that the botnet remains robust even without a persistence mechanism, as compromised devices typically stay active for an average of 17 days before being replaced by new ones.
Raptor Train’s operators, most likely based in China, have been observed managing Tier 2 nodes via Secure Shell connections during Chinese working hours. These connections, facilitated by Sparrow management nodes, enable threat actors to collect bot data, issue commands and exploit vulnerabilities.
Tier 3 nodes, based in Hong Kong and mainland China, provide a consistent command structure, and operators interact with their network around the clock using an advanced control interface named Node Comprehensive Control Tool v1.0.7.
Although there has been no confirmed distributed denial-of-service attack from Raptor Train, Black Lotus Labs warns that this capability likely remains available to the botnet operators.
With its ability to scale DDoS attacks and exploit vulnerabilities across vast numbers of devices, Raptor Train could be a formidable tool for disruptive operations in the future, Black Lotus Labs said.
Researchers found Raptor Train through its monitoring of malicious activity in mid-2023, leading to a more in-depth investigation into the botnet’s infrastructure. The company has since taken steps to neutralize portions of the botnet, including null-routing traffic associated with known C2 servers and payload distribution points.
Lumen Technologies also shared intelligence with U.S. government agencies to bolster defenses against this botnet.