The Federal Bureau of Investigation (FBI), along with cybersecurity researchers, has dismantled a massive China-linked botnet dubbed ‘Raptor Train’. The botnet supported attacks on critical infrastructure, military, government, higher education, telecommunications, defense industrial base (DIB), and IT sector targets mainly in the U.S. and Taiwan.
The botnet consisted of 260,000+ compromised small office/home office (SOHO) and consumer devices which were susceptible to more than 20 different zero-day and n-day vulnerabilities. This large botnet—including routers, DVRs, IP cameras, and network-attached storage (NAS) devices—required a control system that authorities described as “enterprise-grade,” consisting of dozens of servers.
The researchers involved in the take-down attribute Raptor Train, with medium to high confidence, to the Chinese state-sponsored cyber group known as Flax Typhoon.
This assessment was based on the botnet’s targets aligning with Chinese interests, the Chinese language used in the codebase and infrastructure, as well as the overlapping of various tactics, techniques, and procedures previously associated with Flax Typhoon. Additionally, it was observed that management connections made via SSH to the botnet occurred “almost exclusively” during Chinese working hours.
Source: Bleeping Computer
Analysis
The FBI is growing adept at identifying and dismantling botnets used by Chinese state-sponsored cyber groups to support cyberattacks on U.S. and allied entities.
In February 2024, the FBI disrupted the KV-botnet, consisting of thousands of SOHO routers, that was used by the China-linked threat actor Volt Typhoon. KV-botnet was used to obscure Volt Typhoon's origin by transmitting encrypted traffic between the infected SOHO routers, anonymizing their activities by blending their malicious traffic with benign internet traffic.
These takedown operations reflect how serious the U.S. takes Chinese efforts to identify, degrade, or destroy critical infrastructure should tensions heighten between the two nations. Not only does the takedown deny Flax Typhoon a valuable tool for its malicious cyber activities, but serves as a warning to China that the U.S. is aware of its activities and will take action to mitigate the threat they pose.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats from advanced cyber actors engaging in malicious activities, including groups sponsored by China. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these groups pose.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly encourages users to enable automatic updates for SOHO devices to ensure they are patched. Additionally, users are reminded to make sure these devices are configured properly (e.g. restricting external access to management interfaces, disabling unnecessary services) and use strong passwords. Devices that have reached end-of-life status should be replaced as soon as possible.
Related Articles