Chinese State-Sponsored Hackers Operated Massive IoT Botnet for Four Years

A sophisticated China-linked IoT botnet, Raptor Train, compromised over 260,000 devices across critical sectors in the U.S. and Taiwan

Al Landes Avatar
Al Landes Avatar

By

Our editorial process is built on human expertise, ensuring that every article is reliable and trustworthy. AI helps us shape our content to be as accurate and engaging as possible.
Learn more about our commitment to integrity in our Code of Ethics.

Image credit: Wikimedia

Key Takeaways

  • The Raptor Train botnet, linked to a Chinese state-sponsored group, compromised over 260,000 IoT devices across critical sectors in the U.S. and Taiwan for four years.
  • The U.S. government took action to disrupt the botnet through a court-authorized law enforcement operation, with the FBI seizing control of the threat actor’s infrastructure.
  • To mitigate risks from similar threats, it is crucial to implement strong cybersecurity measures, such as disabling unused services and ports, applying regular updates, and using unique passwords.

A sophisticated network of over 260,000 compromised IoT devices, dubbed the Raptor Train botnet, has been operating undetected for four years. Linked to a Chinese nation-state threat actor, this botnet poses significant security risks to critical sectors in the U.S. and Taiwan.

The discovery of the Raptor Train botnet reveals the alarming scale and duration of its operation. Spanning from May 2020 to the present, the botnet has infected a wide range of devices, including routers, IP cameras, DVRs, and NAS from various manufacturers.

Flax Typhoon, also known as Ethereal Panda or RedJuliett, is the threat actor behind this botnet, as reported by Arstechnica. With alleged ties to the Chinese government, Flax Typhoon has orchestrated a complex three-tiered architecture to maintain control over the compromised devices.

According to Thehackernews, at the heart of the botnet is a custom variant of the Mirai malware called Nosedive. This malware allows the threat actors to execute commands, upload and download files, and launch devastating DDoS attacks.

The impact of the Raptor Train botnet is far-reaching, with targeted sectors including military, government, higher education, telecommunications, defense industrial base, and IT, as reported by Securityweek. The majority of the compromised devices are located in the United States, followed by Vietnam, Germany, Taiwan, Brazil, Hong Kong, and Turkey.

Since mid-2020, the botnet has evolved through four distinct campaigns: Crossbill, Finch, Canary, and Oriole. Each campaign has showcased the threat actors’ ability to adapt their tactics, such as employing multi-layered infection chains to evade detection.

The operation of the Raptor Train botnet has been linked to Integrity Technology Group, a Beijing-based company acting at the direction of the Chinese government. This attribution highlights the growing concern over state-sponsored cyber threats.

In a significant development, the U.S. government has taken action to disrupt the botnet through a court-authorized law enforcement operation. By taking control of the threat actor’s infrastructure, the FBI has issued commands to disable the malware on infected devices.

The security implications of the Raptor Train botnet cannot be overstated. Organizations and individuals must take proactive measures to mitigate the risks posed by such threats. Recommendations include disabling unused services and ports, implementing network segmentation, and regularly updating and patching devices.

Share this

At Gadget Review, our guides, reviews, and news are driven by thorough human expertise and use our Trust Rating system and the True Score. AI assists in refining our editorial process, ensuring that every article is engaging, clear and succinct. See how we write our content here →