slider

Chinese Espionage Network ‘Raptor Train’ Exploits IoT Devices in Massive Botnet Operation

Researchers at Lumen Technologies have uncovered a large botnet operation, code-named Raptor Train, orchestrated by the Chinese cyberespionage group Flax Typhoon. Unlike most botnets, this one has recruited over 200,000 routers, IP cameras, and network storage devices, building an extensive network aimed directly at military and government entities in the U.S. and Taiwan. The scale of this operation is enormous, and since its launch in May 2020, it has continued to expand, with no signs of slowing down.


Behind the Botnet

What makes this botnet particularly concerning is its multi-tiered structure. At the lowest level (Tier 1), everyday devices like routers, IP cameras, and network storage units aren’t just passive tools—they’re actively helping maintain the botnet’s integrity. These compromised devices perform tasks like data relay and sustaining the botnet’s communications. Moving up to Tier 2, servers are responsible for handling exploits, managing botnet activity, and directing traffic across infected nodes. The top level (Tier 3) operates through a cross-platform control app called Sparrow, which allows the attackers to execute commands in real-time, transfer files between compromised devices, and, while not yet observed, execute DDoS attacks with ease. This layered approach demonstrates the technical sophistication of the operation and the attackers’ ability to maintain and scale the botnet without significant disruption.


Nosedive Malware: Stealthy and Dynamic Operations

The malware behind Raptor Train is equally worrisome. Lumen’s research team, Black Lotus Labs, discovered a custom version of the infamous Mirai malware, which they have named Nosedive. This malware is exceptionally stealthy. It resides in the device’s memory, erasing traces of itself from the hard drive to avoid detection. Even more troublesome is the dynamic nature of the botnet—compromised devices rotate in and out of the network regularly. On average, a device like a router might remain part of the botnet for just 17 days before being swapped out for a new victim. This constant rotation makes it challenging for defenders to isolate and eliminate threats, as the infected devices are frequently changing, and the attackers can quickly replace lost assets.


Exploiting Known Vulnerabilities in Consumer and Enterprise Devices

One of the primary factors behind the botnet’s rapid spread is the exploitation of known vulnerabilities in widely used devices. The attackers are focusing on common consumer brands, such as ASUS and Mikrotik routers, Hikvision and Panasonic IP cameras, and even specific enterprise-level software like Atlassian Confluence servers and Ivanti Connect Secure appliances. In some cases, they’re using zero-day vulnerabilities to compromise the devices, while in others, they’re taking advantage of well-known security flaws that have not been patched by users. This highlights a critical issue: despite the availability of security updates, many users neglect to apply them, leaving their devices exposed to such threats.


U.S. Government Response and the Link to Chinese State-Sponsored Activity

In response to the growing threat, the U.S. government has stepped in. A joint advisory from the FBI, CNMF, and NSA has pointed fingers at a Chinese company, Integrity Technology Group, for its role in managing the botnet’s operations. Investigators have traced much of the botnet’s command structure back to China Unicom’s Beijing Province Network, further linking the operation to Chinese state-sponsored activity. Despite these efforts, the constant rotation of infected devices complicates the task of dismantling the botnet, meaning it could take time before significant progress is made.


The Urgent Need for IoT Security and Patching

Raptor Train serves as a stark reminder of the evolving tactics used by nation-state actors. By weaponizing IoT devices—items that most people don’t even consider computers—these attackers are gaining footholds in critical infrastructure systems, with potentially devastating consequences. The need to prioritize patching and securing IoT devices has never been more urgent. Many of these devices are deployed in homes and businesses, often with little thought given to their security, but their compromise could enable future espionage or disruption efforts on a much larger scale.


How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

https://www.netizen.net/contact


Copyright © Netizen Corporation. All Rights Reserved.