Raptor Train, the name of the botnet that has been used by hackers for decades, has infected hundreds of thousands of small offices/home offices (SOHOs) and IoT devices in the United States and Taiwan, including government agencies, higher education institutions, and telecommunications, as well as the defence industrial base (DIB). 

The botnet contains hundreds of thousands of small office/home office devices. It was announced today by the Justice Department that a court-authorized law enforcement operation was conducted to disrupt a botnet of more than 200,000 consumer devices across the U.S. and beyond. Several court documents unveiled in the Western District of Pennsylvania reveal that the botnet devices were infected by state-sponsored hackers from the People's Republic of China (PRC) who worked for Integrity Technology Group, a Beijing-based company called "Flax Typhoon" and dubbed "Flax Typhoon" by the private sector. 

As Raptor Train has grown over the past four years, it has become a highly complex, multi-tiered network able to handle tens of servers, as well as a huge number of infected SOHO and consumer devices, including routers, modems, NVRs, and DVRs, IP cameras, and NAS servers with enterprise-level control systems. 

According to Black Lotus Labs, a research division of Lumen Technologies that specializes in hacking activities, the botnet was constructed by the Chinese cyberespionage team Flax Typhoon, a team with a reputation for hacking Taiwanese organizations heavily. With very little malware, Flax Typhoon maintains stealthy persistence by abusing legitimate software tools and avoiding the use of attack tools such as W32.Flax. 

Black Lotus Labs has gathered information about the APT that has been building the new IoT botnet which, at the height of its activity in June of 2023, contained more than 60,000 active compromised devices, found to contain threats.  During the past four years, Black Lotus Labs reports that it has affected more than 200,000 routers, network-attached storage (NAS) servers, and IP cameras, in addition to the security software that protects these devices. Since its formation, the botnet has continued to grow. 

As of this writing, hundreds of thousands of devices have been infected as a result of this network. A paper published by Black Lotus Labs notes that nodes affiliated with this botnet have reportedly been seen attempting to exploit Atlassian Confluence servers as well as Ivanti Connect Secure appliances in an attempt to take advantage of this threat.  

The Raptor Train was announced in May 2020 and appears to have skipped under the radar until recently when some researchers at Black Lotus Labs, a threat research and operations arm of Lumen Technologies, stumbled upon it while looking into compromised routers as part of their investigation. There has been some evidence that the Nosedive botnet is used to launch DDoS attacks using a variant of the Mirai malware called Nosedive that was developed specifically for attacks against distributed denial-of-service (DDoS) systems. 

According to the researchers today, Raptor Train has three tiers of activity, each of which is responsible for running specific types of tasks, such as sending out tasks, administrating servers that exploit the payload or server that manages payloads, and controlling the system. 

It was noted by Microsoft Threat Intelligence in an August 24, 2023 blog post that while Microsoft does not have complete visibility into Flax Typhoon's activity, the group's relatively limited use of malware and reliance on tools built into target operating systems, along with benign software, has reduced the risk of detection for the group.  

According to U.S. officials, this strategy, which is also known as "living off the land", is among the key features of what U.S. officials have called an aggressive and intense cyber campaign sponsored by the Chinese. Additionally, to more typical forms of espionage and intellectual property theft, officials say similar Chinese operations are increasingly burrowing their way into sensitive U.S. critical infrastructure networks for reasons other than their potential security value.  

As it stands, the U.S. alleges that the Chinese are more likely preparing for a military confrontation with the United States if they are threatened with disruption to key U.S., Taiwanese, and other targets - civilian and government - if a military confrontation occurs. The top U.S. intelligence and cybersecurity officials have warned of the activity occurring under the Volt Typhoon since the beginning of 2023.  In a phone call that the White House conducted, one of the administration officials noted that Flax Typhoon was a private-sector organization working on behalf of Beijing, whereas Volt Typhoon was a government organization. 

According to Lisa Monaco, deputy attorney general of the U.S. Department of Justice, that agency's traditional prosecution programs, along with the initiative to prioritize disruption, have been brought together in a new way. A lot of indicators that have been collected during the investigation have led Black Lotus Labs to conclude that the operators of Raptor Train are likely state-sponsored Chinese hackers linked with the Flax Typhoon group, based on the indicators that were found during the investigation. 

Many factors support this theory, including not only the fact that the targets are aligned with Chinese interests, but also the codebase language and infrastructure, as well as the fact that different tactics, techniques, and procedures overlap. According to the researchers, Tier 3 management node connections to Tier 2 systems over SSH occurred almost exclusively during Chinese workweek hours, when the researchers observed the country's normal working hours. 

As well as that, the codebase includes Chinese descriptions and comments describing the functions, menus, comments, and reference references in the codebase itself. Raptor Train, however sophisticated it may be, is still a very dangerous botnet that can be prevented from spreading the infection by users and network defenders. 

A network administrator may need to pay attention to large outbound data transfers, even if the destination IP address is within the same region as the source IP address. To ensure that routers stay up-to-date, it is recommended that consumers restart their routers regularly and install the latest updates. The company should also replace systems that are no longer supported and are no longer receiving updates (end-of-life systems) with new ones.