Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

US Disrupts ‘Raptor Train’ Botnet of Chinese APT Flax Typhoon

The US government has announced the disruption of Raptor Train, a Flax Typhoon botnet powered by hacked consumer devices.

Raptor Train botnet takedown

The US government on Wednesday announced the disruption of a massive botnet created by Chinese state-sponsored hackers. The threat actor attempted to use a DDoS attack to protect its botnet.

The disruption of the botnet was announced on the same day Black Lotus Labs, the research unit of Lumen Technologies, shared details on the botnet, which has been named Raptor Train and linked to a Chinese cyberespionage group known as Flax Typhoon. A Chinese firm named Integrity Technology Group is behind this APT, according to the US government.

The Raptor Train botnet had ensnared an estimated 260,000 routers, network-attached storage (NAS) devices, and IP cameras over the last four years. The compromised devices — over 20 models — were located in the United States and elsewhere, and they were hacked using both zero-day and n-day vulnerabilities. 

According to Black Lotus Labs, at its peak, in June 2023, the botnet was powered by more than 60,000 devices. 

The botnet, which leverages a custom version of the notorious Mirai malware, can enable its operators to route traffic, conduct DDoS attacks, and deliver other malware. 

Black Lotus Labs has seen Raptor Train being used to target critical sectors in the US and Taiwan, including military, government, higher education, telecommunications, and defense industrial base. 

The US Justice Department on Wednesday announced that a court-authorized law enforcement operation was conducted to disrupt the botnet.

The actions carried out by law enforcement included taking control of the threat actor’s infrastructure and sending commands through that infrastructure to disable the malware on compromised devices.

Advertisement. Scroll to continue reading.

However, it seems the hackers did not want to give up without a fight and attempted to interfere with the FBI’s efforts by launching a DDoS attack on the operational infrastructure used by the agency to disrupt Raptor Train. “That attack was ultimately unsuccessful in preventing the FBI’s disruption of the botnet,” the DoJ said.

US authorities said the malware-disabling commands were thoroughly tested before they were executed to ensure that the legitimate functions of infected devices would not be impacted. The owners of hacked devices are being contacted by the FBI through ISPs. 

Black Lotus Labs, along with French authorities, have also contributed to the botnet takedown efforts.

Five Eyes agencies on Wednesday published a joint cybersecurity advisory describing the botnet and providing mitigation recommendations. 

This is not the first time the US has announced the takedown of a botnet linked to Chinese state-backed hackers. In January, it reported targeting a router-powered botnet operated by the notorious Volt Typhoon APT.

Related: Global Coalition Blames China’s APT40 for Hacking Government Networks

Related: China-Linked Hackers Target Drone Makers

Related: China’s Volt Typhoon Hackers Caught Exploiting Zero-Day in Servers Used by ISPs, MSPs

Related: China-Linked ‘Velvet Ant’ Hackers Exploited Zero-Day to Deploy Malware on Cisco Nexus Switches

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.