Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Chinese Spies Built Massive Botnet of IoT Devices to Target US, Taiwan Military

Black Lotus Labs estimates that more than 200,000 routers, network-attached storage servers, and IP cameras have been ensnared in the botnet.

Researchers at Lumen Technologies have eyes on a massive, multi-tiered botnet of hijacked IoT devices being commandeered by a Chinese state-sponsored espionage hacking operation.

The botnet, tagged with the moniker Raptor Train, is packed with hundreds of thousands of small office/home office (SOHO) and Internet of Things (IoT) devices, and has targeted entities in the U.S. and Taiwan across critical sectors, including the military, government, higher education, telecommunications, and the defense industrial base (DIB).

“Based on the recent scale of device exploitation, we  suspect hundreds of thousands of devices have been entangled by this network since its formation in May 2020,” Black Lotus Labs said in a paper to be presented at the LABScon conference this week.

Black Lotus Labs, the research arm of Lumen Technologies, said the botnet is the handiwork of Flax Typhoon, a known Chinese cyberespionage team heavily focused on hacking into Taiwanese organizations. Flax Typhoon is notorious for its minimal use of malware and maintaining stealthy persistence by abusing legitimate software tools.

Since the middle of 2023, Black Lotus Labs tracked the APT building the new IoT botnet that, at its height in June 2023, contained more than 60,000 active compromised devices. 

Black Lotus Labs estimates that more than 200,000 routers, network-attached storage (NAS) servers, and IP cameras have been affected over the last four years. The botnet has continued to grow, with hundreds of thousands of devices believed to have been entangled since its formation.

In a paper documenting the threat, Black Lotus Labs said possible exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure appliances have sprung from nodes associated with this botnet. 

The company described the botnet’s command and control (C2) infrastructure as robust, featuring a centralized Node.js backend and a cross-platform front-end application called “Sparrow” that handles sophisticated exploitation and management of infected devices.

Advertisement. Scroll to continue reading.

The Sparrow platform allows for remote command execution, file transfers, vulnerability management, and distributed denial-of-service (DDoS) attack capabilities, although Black Lotus Labs said it has yet to observe any DDoS activity from the botnet.

The researchers found the botnet’s infrastructure is divided into three tiers, with Tier 1 consisting of compromised devices like modems, routers, IP cameras, and NAS systems. The second tier manages exploitation servers and C2 nodes, while Tier 3 handles management through the “Sparrow” platform. 

Black Lotus Labs observed that devices in Tier 1 are regularly rotated, with compromised devices remaining active for an average of 17 days before being replaced. 

The attackers are exploiting over 20 device types using both zero-day and known vulnerabilities to include them as Tier 1 nodes. These include modems and routers from companies like ActionTec, ASUS,  DrayTek Vigor and Mikrotik; and IP cameras from D-Link, Hikvision, Panasonic, QNAP (TS Series) and Fujitsu.

In its technical documentation, Black Lotus Labs said the number of active Tier 1 nodes is constantly fluctuating, suggesting operators are not concerned with the regular rotation of compromised devices.

The company said the primary malware seen on most of the Tier 1 nodes, called Nosedive, is a custom variation of the infamous Mirai implant. Nosedive is designed to infect a wide range of devices, including those running on MIPS, ARM, SuperH, and PowerPC architectures and is deployed through a complex two-tier system, using specially encoded URLs and domain injection techniques.

Once installed, Nosedive operates entirely in memory, leaving no trace on the hard drive. Black Lotus Labs said the implant is particularly difficult to detect and analyze due to obfuscation of running process names, use of a multi-stage infection chain, and termination of remote management processes.

In late December 2023, the researchers observed the botnet operators conducting extensive scanning efforts targeting the US military, US government, IT providers, and DIB organizations.  

“There was also widespread, global targeting, such as a government agency in  Kazakhstan, along with more targeted scanning and likely exploitation attempts against  vulnerable software including Atlassian Confluence servers and Ivanti Connect Secure  appliances (likely via CVE-2024-21887) in the same sectors,” Black Lotus Labs warned.

Black Lotus Labs has null-routed traffic to the known points of botnet infrastructure, including the distributed botnet management, command-and-control, payload and  exploitation infrastructure. There are reports that law enforcement agencies in the US are working on neutralizing the botnet.

UPDATE: The US government is attributing the operation to Integrity Technology Group, a Chinese company with links to the PRC government. In a joint advisory from FBI/CNMF/NSA said Integrity used China Unicom Beijing Province Network IP addresses to remotely control the botnet.

Related: ‘Flax Typhoon’ APT Hacks Taiwan With Minimal Malware Footprint

Related: Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet 

Related: Researchers Discover 40,000-Strong EOL Router, IoT Botnet 

Related: US Gov Disrupts SOHO Router Botnet Used by Chinese APT Volt Typhoon

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.