A massive IoT botnet comprising over 200,000 compromised devices dubbed “Raptor Train” has been uncovered by Black Lotus Labs, the threat intelligence arm of Lumen Technologies. The botnet is believed to be operated by the Chinese state-sponsored threat actors known as Flax Typhoon.
The investigation – which began in mid-2023 – revealed a sophisticated network of small office/home office (SOHO) and IoT devices, including routers, NVR/DVR devices, network attached storage (NAS) servers, and IP cameras. At its peak in June 2023, the botnet consisted of over 60,000 actively compromised devices.
“Based on the recent scale of device exploitation, we suspect hundreds of thousands of devices have been entangled by this network since its formation in May 2020,” noted Black Lotus Labs researchers.
The botnet’s infrastructure is managed through a series of distributed payload and command and control (C2) servers, a centralised Node.js backend, and a cross-platform Electron application front-end called “Sparrow”. This enterprise-grade control system enables the threat actors to manage up to 60 C2 servers and their infected nodes simultaneously.
“This service enables an entire suite of activities, including scalable exploitation of bots, vulnerability and exploit management, remote management of C2 infrastructure, file uploads and downloads, remote command execution, and the ability to tailor IoT-based distributed denial of service (DDoS) attacks at-scale,” the researchers explained.
While no DDoS attacks originating from Raptor Train have been observed yet, the researchers suspect this capability is being preserved for future use. The botnet has been linked to targeting US and Taiwanese entities in various sectors, including military, government, higher education, telecoms, defence industrial base (DIB), and IT.
The primary implant used on most of the Tier 1 nodes, called “Nosedive,” is a custom variation of the Mirai implant. It supports all major SOHO and IoT architectures and employs anti-forensics techniques, making detection and analysis challenging.
Black Lotus Labs has identified four distinct campaigns since Raptor Train’s inception: Crossbill (May 2020 to April 2022), Finch (July 2022 to June 2023), Canary (May 2023 to August 2023), and Oriole (June 2023 to present). Each campaign demonstrated evolving tactics and an expansion of compromised device types.
The researchers attribute the botnet to Flax Typhoon based on operational timeframes, targeting aligned with Chinese interests, use of Chinese language, and other TTP overlaps.
In response to these findings, Lumen Technologies has null-routed traffic to known infrastructure used by the Raptor Train operators and shared threat intelligence with US government agencies.
A joint cybersecurity advisory has been issued (PDF) by the FBI, Cyber National Mission Force (CNMF), and National Security Agency (NSA) that similarly assesses that “People’s Republic of China (PRC)-linked cyber actors have compromised thousands of Internet-connected devices, including small office/home office (SOHO) routers, firewalls, network-attached storage (NAS) and Internet of Things (IoT) devices with the goal of creating a network of compromised nodes (a “botnet”) positioned for malicious activity.”
To protect against such threats, network defenders are advised to look for large data transfers out of the network, even if the destination IP appears local. Organisations should consider implementing comprehensive secure access service edge (SASE) solutions, while consumers with SOHO routers should regularly reboot devices and install security updates.
See also: Unpatched security cameras fuel ‘Corona Mirai’ botnet surge
Want to learn about the IoT from industry leaders? Check out IoT Tech Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Cyber Security & Cloud Expo, AI & Big Data Expo, Intelligent Automation Conference, Edge Computing Expo, and Digital Transformation Week.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
