The US government on Wednesday announced the disruption of a massive botnet created by Chinese state-sponsored hackers. The threat actor attempted to use a DDoS attack to protect its botnet.
The disruption of the botnet was announced on the same day Black Lotus Labs, the research unit of Lumen Technologies, shared details on the botnet, which has been named Raptor Train and linked to a Chinese cyberespionage group known as Flax Typhoon. A Chinese firm named Integrity Technology Group is behind this APT, according to the US government.
The Raptor Train botnet had ensnared an estimated 260,000 routers, network-attached storage (NAS) devices, and IP cameras over the last four years. The compromised devices — over 20 models — were located in the United States and elsewhere, and they were hacked using both zero-day and n-day vulnerabilities.
According to Black Lotus Labs, at its peak, in June 2023, the botnet was powered by more than 60,000 devices.
The botnet, which leverages a custom version of the notorious Mirai malware, can enable its operators to route traffic, conduct DDoS attacks, and deliver other malware.
Black Lotus Labs has seen Raptor Train being used to target critical sectors in the US and Taiwan, including military, government, higher education, telecommunications, and defense industrial base.
The US Justice Department on Wednesday announced that a court-authorized law enforcement operation was conducted to disrupt the botnet.
The actions carried out by law enforcement included taking control of the threat actor’s infrastructure and sending commands through that infrastructure to disable the malware on compromised devices.
However, it seems the hackers did not want to give up without a fight and attempted to interfere with the FBI’s efforts by launching a DDoS attack on the operational infrastructure used by the agency to disrupt Raptor Train. “That attack was ultimately unsuccessful in preventing the FBI’s disruption of the botnet,” the DoJ said.
US authorities said the malware-disabling commands were thoroughly tested before they were executed to ensure that the legitimate functions of infected devices would not be impacted. The owners of hacked devices are being contacted by the FBI through ISPs.
Black Lotus Labs, along with French authorities, have also contributed to the botnet takedown efforts.
Five Eyes agencies on Wednesday published a joint cybersecurity advisory describing the botnet and providing mitigation recommendations.
This is not the first time the US has announced the takedown of a botnet linked to Chinese state-backed hackers. In January, it reported targeting a router-powered botnet operated by the notorious Volt Typhoon APT.
Related: Global Coalition Blames China’s APT40 for Hacking Government Networks
Related: China-Linked Hackers Target Drone Makers
Related: China’s Volt Typhoon Hackers Caught Exploiting Zero-Day in Servers Used by ISPs, MSPs
Related: China-Linked ‘Velvet Ant’ Hackers Exploited Zero-Day to Deploy Malware on Cisco Nexus Switches