Massive China-state IoT botnet went undetected for four years—until now

75% of infected devices were located in homes and offices in North America and Europe.

The FBI has dismantled a massive network of compromised devices that Chinese state-sponsored hackers have used for four years to mount attacks on government agencies, telecoms, defense contractors, and other targets in the US and Taiwan.

The botnet was made up primarily of small office and home office routers, surveillance cameras, network-attached storage, and other Internet-connected devices located all over the world. Over the past four years, US officials said, 260,000 such devices have cycled through the sophisticated network, which is organized in three tiers that allow the botnet to operate with efficiency and precision. At its peak in June 2023, Raptor Train, as the botnet is named, consisted of more than 60,000 commandeered devices, according to researchers from Black Lotus Labs, making it the largest China state botnet discovered to date.

Burning down the house

Raptor Train is the second China state-operated botnet US authorities have taken down this year. In January, law enforcement officials covertly issued commands to disinfect Internet of Things devices that hackers backed by the Chinese government had taken over without the device owners’ knowledge. The Chinese hackers, part of a group tracked as Volt Typhoon, used the botnet for more than a year as a platform to deliver exploits that burrowed deep into the networks of targets of interest. Because the attacks appear to originate from IP addresses with good reputations, they are subjected to less scrutiny from network security defenses, making the bots an ideal delivery proxy. Russia-state hackers have also been caught assembling large IoT botnets for the same purposes.

An advisory jointly issued Wednesday by the FBI, the Cyber National Mission Force, and the National Security Agency said that China-based company Integrity Technology Group controlled and managed Raptor Train. The company has ties to the People's Republic of China, officials said. The company, they said, has also used the state-controlled China Unicom Beijing Province Network IP addresses to control and manage the botnet. Researchers and law enforcement track the China-state group that worked with Integrity Technology as Flax Typhoon. More than half of the infected Raptor Train devices were located in North America and another 25 percent in Europe.

"Flax Typhoon was targeting critical infrastructure across the US and overseas, everyone from corporations and media organizations to universities and government agencies," FBI Director Christopher Wray said Wednesday at the Aspen Cyber Summit. "Like Volt Typhoon, they used Internet-connected devices, this time hundreds of thousands of them, to create a botnet that helped them compromise systems and exfiltrate confidential data." He added: "Flax Typhoon's actions caused real harm to its victims who had to devote precious time to clean up the mess."

Wray said law enforcement agents sought and executed court-authorized operations that took control of the Raptor Train infrastructure. Like the operation in January, it worked by identifying compromised devices and surreptitiously issuing commands that disinfected them of the Raptor Train malware.

"When the bad guys realized what was happening, they tried to migrate their bots to new servers and even conducted a DDoS attack against us," Wray said. "Working with our partners, we were able to not only mitigate their attack but also identify their new infrastructure in just a matter of hours. At that point, as we began pivoting to their new servers, we think the bad guys finally realized it was the FBI and our partners that they were up against, and with that realization they essentially burned down their new infrastructure and abandoned their botnet."

Operating at scale

Black Lotus Labs, the security research arm of Lumen Technologies, has been tracking Raptor Train since June 2023. In an 81-page report also published Wednesday, the researchers said the botnet, four years in the making, was so large that it landed on both the Cloudflare Radar and the Umbrella Popularity List compiled by Cisco.

The heft is the result of a sophisticated, multi-tier structure that allows the botnet to operate at a massive scale. If Raptor Train were a pyramid, its bottom, largest section would be made up of Tier 1. This tier comprises home and small office devices that are infected with "Nosedive," custom malware that's based on Mirai, a family of IoT-optimized malware that delivered record-setting DDoSes when it burst on the scene in 2016 and was released as open source that same year.

Many of the devices Nosedive has infected are end-of-life, meaning they no longer receive security patches when vulnerabilities are found in them. Other devices appear to be newer, Black Lotus Labs said, an indication that Flax Typhoon may be exploiting zerodays to infect them. The FBI identified more than 70 vulnerabilities Integrity Tech relied on to acquire new botnet victims and allow botnet devices to exploit further victims. The vulnerabilities spanned the years 2019 through 2024. Black Lotus Labs found more than 20 different IoT device types infected. They include:

• Modems/Routers ActionTec PK5000 ASUS RT-*/GT-*/ZenWifi TP-LINK DrayTek Vigor Tenda Wireless Ruijie Zyxel USG* Ruckus Wireless VNPT iGate Mikrotik TOTOLINK
• IP Cameras D-LINK DCS-* Hikvision Mobotix NUUO AXIS Panasonic
• NVR/DVR Shenzhen TVT NVRs/DVRs
• NAS QNAP (TS Series) Fujitsu Synology Zyxel

Higher in the pyramid, Tier 2 consists of dedicated virtual servers that act as command-and-control servers for Tier 1 devices and also deliver exploits and payloads to them. Tier 2 and Tier 1 devices can communicate over a Unique URL encoding scheme and domain injection method. They also use self-signed TLS certificates to encrypt and authenticate data. Over the past four years, the number of Tier 2 command nodes has grown steadily, from about one to five between 2020 and 2022, 11 by mid-2023, 30 between February and March 2024, and 60 through August.

Tier 3 consisted of a small number of management nodes that ran on special software dubbed Sparrow. The nodes allowed Flax Typhoon members to manually operate Tier 2 nodes using the Secure Shell remote interface. Besides management, Tier 3 also collects data. Connections between these two tiers typically occurred during sustained periods. Those periods took place exclusively during Chinese working hours on weekdays, Black Lotus said.

In Wednesday's report, researchers wrote:

Black Lotus Labs uncovered targeting activities through this network that appeared to be concentrated on the military, government, higher education, telecommunications, defense industrial base (DIB), and information technology (IT) sectors in the US and Taiwan. For instance, in late December 2023, the botnet operators conducted extensive scanning efforts targeting the US military, US government, IT providers, and DIBs. There was also widespread, global targeting, such as a government agency in Kazakhstan, along with more targeted scanning and likely exploitation attempts against vulnerable software including Atlassian Confluence servers and Ivanti Connect Secure appliances (likely via CVE-2024-21887) in the same sectors.

They went on to note that the botnet had the potential to wage enormous DDoS attacks. The researchers said they never observed any such DDoSes occurring, leading them to speculate Flax Typhoon was maintaining the capability for future use.

There is little everyday people can do to determine if their routers and other devices were targeted or infected by Flax Typhoon, which is also tracked under the names RedJuliett and Ethereal Panda. Device owners should routinely check for available security patches and install them when found. Another useful practice is to reboot the devices every week or so, or more frequently if practical. Nosedive, like the vast majority of other IoT malware, resides solely in memory, and therefore can't persist once a device restarts. More technically experienced people can use the tables listing indicators of compromise at the end of the FBI advisory and Black Lotus Labs report.