Raptor Train Botnet Disrupted After Targeting Global Critical Infrastructure

Raptor Train Botnet Disrupted After Targeting Global Critical Infrastructure

Threat Details and Score

Threat Group: Flax Typhoon (Chinese state-sponsored)
Threat Type: Botnet (IoT)
Exploited Vulnerabilities: IoT device vulnerabilities, including zero-day and n-day vulnerabilities in over 20 device types
Malware Used: Nosedive (a variant of Mirai)
Threat Score: High (8.9/10) — Due to its scale, complexity, and targeting of critical infrastructure in key sectors across multiple nations
Last Threat Observation: September 20, 2024 (AlienVault)


Overview

The Raptor Train botnet, operated by the Chinese state-sponsored group Flax Typhoon, is one of the largest IoT botnets ever uncovered, affecting over 260,000 devices globally, including routers, IP cameras, and NAS systems. It primarily uses a variant of the Mirai malware named Nosedive, capable of distributed denial-of-service (DDoS) attacks, though none have been observed so far.

The botnet architecture is sophisticated, consisting of three distinct tiers for managing compromised devices, executing payloads, and command-and-control (C2) systems. It primarily targeted U.S. and Taiwanese entities in sensitive sectors, such as military, government, education, and telecommunications.

Since its discovery by Black Lotus Labs in mid-2023, the botnet has continued to evolve. Flax Typhoon's operations were severely disrupted by a FBI-led international law enforcement operation in September 2024, although attempts were made to protect the botnet through a DDoS attack against FBI infrastructure.

Key Details

  • Compromised Devices: Over 260,000 globally, including routers (ASUS RT series, TP-Link), IP cameras (Hikvision, D-Link), and NAS devices (QNAP, Synology).
  • Botnet Peak: More than 60,000 active devices in June 2023.
  • Countries Affected: The United States (126,000 devices), Vietnam, Germany, Taiwan, and Kazakhstan have been heavily impacted.
  • Tiers of Operation:
    • Tier 1: Compromised IoT devices.
    • Tier 2: C2 servers for delivering payloads and managing exploitation.
    • Tier 3: Management nodes (Sparrow).

Attack Vectors

  • Device Vulnerabilities: The botnet exploits both zero-day and n-day vulnerabilities across more than 20 types of IoT devices, including routers, IP cameras, and NAS systems.
  • Multi-Tier Architecture: The botnet is organized into three tiers, allowing for streamlined management of compromised devices, execution of attacks, and payload deployment.
  • Non-persistent Payloads: Nosedive payloads do not have persistence, so compromised devices typically stay infected for about 17 days.

Known Indicators of Compromise (IoCs)

  • IP Addresses (Defanged):
    • 122[.]10[.]89[.]230
    • 139[.]180[.]158[.]51
    • 45[.]195[.]149[.]224
    • 45[.]204[.]1[.]247
    • 45[.]204[.]1[.]248
    • 101[.]33[.]205[.]106
    • 134[.]122[.]188[.]20
    • 137[.]220[.]36[.]87
    • 154[.]19[.]187[.]92
    • 192[.]253[.]235[.]107
    • 39[.]98[.]208[.]61
    • 45[.]88[.]192[.]118
  • Domains (Defanged):
    • asljkdqhkhasdq[.]softether[.]net
    • vpn437972693[.]sednc[.]cn
    • vpn472462384[.]softether[.]net

Mitigation and Prevention

  1. Patch Management: Update all IoT devices with the latest firmware to close vulnerabilities.
  2. Network Segmentation: Isolate IoT devices from critical infrastructure to limit potential damage from future compromises.
  3. Monitoring: Continuously monitor network traffic for unusual patterns, especially encrypted traffic on non-standard ports.
  4. Rebooting Devices: Regularly reboot IoT devices, as Raptor Train’s payloads are not persistent.
  5. DDoS Protection: Deploy DDoS mitigation strategies as a preventive measure.

Conclusion

The Raptor Train botnet presents a significant cyber threat, capable of infecting large-scale IoT devices worldwide. While Flax Typhoon's infrastructure has been dismantled by global law enforcement, organizations must remain vigilant. Updating device firmware, monitoring for anomalies, and implementing network segmentation are essential to prevent re-infection.


Podcast Discussion

audio-thumbnail
Podcast Raptor Train Botnet Disrupted After Targeting Global Critical Infrastructure
0:00
/456.88

Sources

  1. Lumen, Derailing the Raptor Train
    https://blog.lumen.com/derailing-the-raptor-train
  2. Bleeping Computer, Chinese botnet infects 260,000 SOHO routers, IP cameras with malware
    https://www.bleepingcomputer.com/news/security/chinese-botnet-infects-260000-soho-routers-ip-cameras-with-malware
  3. SecurityWeek, US Disrupts 'Raptor Train' Botnet of Chinese APT Flax Typhoon
    https://www.securityweek.com/us-disrupts-raptor-train-botnet-of-chinese-apt-flax-typhoon
  4. SC Media, Significant Flax Typhoon botnet dismantled
    https://www.scmagazine.com/brief/significant-flax-typhoon-botnet-dismantled
  5. Department of Justice, Court-Authorized Operation Disrupts Worldwide Botnet
    https://www.justice.gov/opa/pr/court-authorized-operation-disrupts-worldwide-botnet-used-people-s-republic-china-state