FBI Disrupts Massive Chinese Botnet Targeting US Critical Infrastructure | World Briefings
Subscribe to World Briefings's newsletter

News Updates

Let's join our newsletter!

Do not worry we don't spam!

World

FBI Disrupts Massive Chinese Botnet Targeting US Critical Infrastructure

22 September, 2024 - 4:18AM
FBI Disrupts Massive Chinese Botnet Targeting US Critical Infrastructure
Credit: bleepstatic.com

FBI Disrupts Massive Chinese Botnet Targeting US Critical Infrastructure

The FBI, in collaboration with cybersecurity researchers, has successfully disrupted a massive Chinese botnet known as “Raptor Train,” which infected over 260,000 networking devices, posing a significant threat to critical infrastructure in the United States and globally. The botnet, which has been active since May 2020, was operated by a group of state-sponsored Chinese hackers known as “Flax Typhoon,” and was used to target entities in the military, government, higher education, telecommunications, defense industrial base (DIB), and IT sectors, primarily in the US and Taiwan.

Anatomy of a Botnet

Raptor Train has evolved into a sophisticated, multi-tiered network over the past four years, employing an enterprise-grade control system capable of managing tens of servers and a vast number of compromised SOHO and consumer devices. These infected devices include routers and modems, NVRs and DVRs, IP cameras, and network-attached storage (NAS) servers.

The botnet operates in three distinct tiers, each dedicated to specific functions:

  • Tier 1: This tier comprises the compromised devices that are controlled by the botnet operators. These devices are infected with a variant of the Mirai malware, called Nosedive, which enables the botnet to carry out distributed denial-of-service (DDoS) attacks. However, Raptor Train has not been observed deploying such attacks, indicating a more strategic objective beyond simple disruption.

  • Tier 2: This tier houses the command and control servers, exploitation servers, and payload servers that manage and direct the infected devices in Tier 1. Black Lotus Labs, the threat research and operations arm at Lumen Technologies, distinguishes between first-stage and second-stage payload servers. The first-stage servers deliver a generic payload, while the second-stage servers engage in more targeted attacks on specific device types, potentially as a tactic to obfuscate the use of zero-day vulnerabilities.

  • Tier 3: This tier is responsible for the overall management of the botnet, utilizing servers called Sparrow nodes. These nodes provide a web interface for easier operation, including backend functionalities, auxiliary functions for generating payloads and exploits, and the ability to send commands and collect data from the botnet.

Growth and Evolution of Raptor Train

Raptor Train has grown significantly in its number of compromised devices, with researchers estimating that over 200,000 devices have been infected since its inception in May 2020. Its peak activity occurred in June 2023, when it controlled over 60,000 devices. Black Lotus Labs continues to track around the same number of active infected devices, fluctuating by a few thousand since August. The botnet’s operators employ various tactics to add devices to Tier 1, exploiting more than 20 different device types through both known and unknown vulnerabilities.

Raptor Train has also increased its number of C2 servers over time, from up to five between 2020 and 2022 to 11 in 2023 and more than 60 between June and August 2024. This growth signifies a more aggressive expansion of the botnet’s capabilities and reach.

Targeting and Operations

Raptor Train operators have demonstrated a targeted approach in recent campaigns, notably the Canary campaign, which began in May 2023. This campaign focused on infecting devices like ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs, and ASUS RT- and GT- routers. A single Tier 2 second-stage server in this campaign infected at least 16,000 devices in just two months.

The subsequent Oriole campaign, which ran from June to September 2023, also displayed a focused effort, resulting in at least 30,000 devices in Tier 1. This campaign saw the C2 domain w8510[.]com, utilized by the botnet operators, become so prominent that it was included in the Cisco Umbrella domain rankings and Cloudflare’s Radar top one million domains. This prominence allows the botnet to bypass security tools through domain whitelisting, making it more difficult to detect and disrupt.

Raptor Train has also been implicated in scanning activities targeting the US military, US government, IT providers, and defense industrial bases last December. This suggests that the botnet’s targeting efforts extend beyond the US, as it was also used to target a government agency in Kazakhstan. The botnet has also been involved in exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure appliances, likely via CVE-2024-21887, at organizations in the same activity sectors.

Disrupting Raptor Train

The FBI’s disruption of Raptor Train involved the execution of court-authorized operations to seize control of the botnet’s infrastructure. As a response, the Flax Typhoon hackers attempted to migrate infected devices to new servers and even launched a DDoS attack against the FBI. However, the FBI ultimately succeeded in identifying thousands of infected devices and, with court authorization, issued commands to remove malware from them, effectively severing the botnet’s control over those devices.

Black Lotus Labs has implemented null-routing to disrupt traffic to the known infrastructure points of Raptor Train, including its botnet management, C2, payload, and exploitation infrastructure. These efforts have significantly hindered the botnet’s operations, although researchers acknowledge that the botnet may still be partially active.

Attribution and Concerns

Based on the indicators found during the investigation, including target selection, language used in the codebase and infrastructure, and overlapping tactics, techniques, and procedures, Black Lotus Labs assesses with medium to high confidence that the operators of Raptor Train are likely state-sponsored Chinese hackers, specifically the Flax Typhoon group. Further evidence supporting this attribution includes the exclusive use of SSH connections between Tier 3 management nodes and Tier 2 systems during China’s normal workweek hours and the use of Chinese language in codebase comments and references.

This disruption of Raptor Train highlights the ongoing threat posed by state-sponsored hacking groups targeting critical infrastructure. It also underscores the need for robust cybersecurity measures, including regular device updates, secure network configurations, and heightened vigilance against suspicious activity. The FBI and cybersecurity researchers will continue to monitor and disrupt these threats, protecting vital systems and networks from malicious actors.

Final Thoughts: A Continuous Battle

The successful takedown of the Raptor Train botnet, a massive network of compromised devices, highlights the escalating cyberwarfare between nations, specifically between China and the US. The fact that the botnet operators attempted to migrate infected devices and launch DDoS attacks against the FBI showcases the sophistication and tenacity of these actors. This is not a one-time battle but a continuous struggle to protect critical infrastructure and maintain cybersecurity. As we move forward, it’s imperative to remain vigilant, update devices regularly, and strengthen our defenses against cyber threats that are constantly evolving.

Tags:
Botnet Federal Bureau of Investigation Computer security Cybercrime cybersecurity botnet China FBI Critical Infrastructure
Maria Garcia
Maria Garcia

Editor

Passionate editor with a focus on business news.