Raptor Train: Chinese Nation-State Botnet Compromises Over 200,000 Devices
Black Lotus Labs released a report detailing the discovery of a botnet, dubbed "Raptor Train." This multi-tiered network has compromised more than 200,000 small office/home office (SOHO) routers, Internet of Things (IoT) devices, and network infrastructure worldwide.
Introduction
On September 18, 2024, Black Lotus Labs released a comprehensive report detailing the discovery of a sophisticated botnet, dubbed "Raptor Train." This multi-tiered network has compromised more than 200,000 small office/home office (SOHO) routers, Internet of Things (IoT) devices, and network infrastructure worldwide. The botnet is attributed to the Chinese threat actor group, Flax Typhoon. Initial investigations began in mid-2023, revealing a massive state-sponsored operation targeting U.S. and Taiwanese entities in sectors such as military, government, and telecommunications.
Report Overview
Raptor Train has been operational for over four years, with its origins traced back to May 2020. It is managed by Flax Typhoon, a nation-state group allegedly supported by China. The botnet leverages vulnerabilities in SOHO and IoT devices, including modems, routers, IP cameras, and network-attached storage (NAS) servers. The operation went undetected for years, evolving into one of the largest IoT-based botnets ever uncovered.
The botnet is managed through a sophisticated network of compromised devices divided into three tiers:
- Tier 1: Consists of infected SOHO and IoT devices such as routers and cameras.
- Tier 2: Exploitation and payload servers deliver malware to Tier 1 devices.
- Tier 3: Command and Control (C2) management nodes handle the botnet's operations through a custom-built platform called "Sparrow."
The primary malware used in this botnet, called "Nosedive," is a modified version of the infamous Mirai malware. Nosedive is memory-resident, making detection and forensics difficult. This malware variant enables the operators to run commands, exfiltrate data, and launch Distributed Denial of Service (DDoS) attacks, although no DDoS incidents have been observed thus far.
The botnet’s scale is alarming, with over 200,000 devices actively compromised as of mid-2023. These devices include consumer-grade modems, routers, and NAS servers, as well as critical infrastructure components such as IP cameras. The network has primarily targeted U.S. and Taiwanese organizations, focusing on critical sectors like defense, government, and telecommunications.
The compromised devices are used not only for gathering intelligence but also for further exploitation attempts, including scanning for vulnerable Atlassian Confluence servers and Ivanti Connect Secure appliances. The botnet's ability to scale up quickly, rotating thousands of devices every 17 days, poses a significant threat to global digital infrastructure.
Insights and Analysis
While Black Lotus Labs has not yet seen any DDoS attacks launched from the botnet, they suspect that this capability is being preserved for future use. The scale and sophistication of the operation, along with the sectors targeted, suggest a long-term strategic campaign aimed at weakening critical infrastructure. The botnet’s management through the Sparrow application demonstrates an enterprise-level approach to botnet control, allowing operators to exploit vulnerabilities on a massive scale with minimal manual intervention.
Conclusion and Preventative Measures
The Raptor Train botnet presents a significant risk to global security. Organizations in affected sectors should take immediate action to secure their infrastructure. Key recommendations include:
- Implementing secure access service edge (SASE) or similar solutions to detect and block unauthorized network-based communications.
- Regularly rebooting routers and installing the latest security patches.
- Monitoring for large, unusual data transfers, especially from SOHO devices, as these may indicate exfiltration or botnet activity.
Consumers and network operators alike should be mindful of devices nearing end-of-life, as they are particularly vulnerable to exploitation. Black Lotus Labs continues to monitor and disrupt the activities of Raptor Train to mitigate its impact on critical infrastructure.
Indicators of Compromise (IOC)
| Indicator | Type | Description |
|---|---|---|
| No specific Indicators of Compromise (IOCs) were provided in the source material. |
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Command and Control | Encrypted Channel | T1573 | Use of TLS encryption on port 443 for communication between botnet nodes. |
| Command and Control | Application Layer Protocol | T1071 | Use of HTTPS communication for C2 traffic between Tier 1 and Tier 2 nodes. |
| Execution | Command-Line Interface | T1059 | Execution of commands on compromised devices, including DDoS and file uploads/downloads. |
| Persistence | Implant via Software Supply Chain | T1195 | Deployment of the custom Mirai-based "Nosedive" malware to compromised IoT devices. |
| Not Available | Not Available | Not Available | No further specific MITRE ATT&CK TTPs were provided in the source material. |
Comments ()