Experts Warn of China-Linked APT’s Raptor Train IoT Botnet

Cybersecurity researchers from Lumen’s Black Lotus Labs have uncovered a large-scale IoT botnet named Raptor Train, which has compromised over 200,000 devices globally since its discovery in May 2020. The botnet is believed to be controlled by the China-linked Advanced Persistent Threat (APT) group, Flax Typhoon, also known as Ethereal Panda or RedJuliett.

The Scope of the Raptor Train Botnet

The Raptor Train botnet primarily targets small office/home office (SOHO) devices and IoT devices, such as routers, NAS servers, NVR/DVR devices, and IP cameras. It is one of the largest China-linked IoT botnets discovered to date, with 60,000 compromised devices at its peak in June 2023. The botnet’s command-and-control (C2) infrastructure has even appeared on Cloudflare Radar and Cisco Umbrella’s “top 1 million” lists, indicating the significant reach and impact of this botnet.

Researchers estimate that hundreds of thousands of devices may have been compromised since the botnet’s inception, making it a serious global threat. The compromised devices are spread across various sectors, including military, government, education, telecommunications, and defense industries, with notable targeting in the U.S. and Taiwan.

The Architecture of the Raptor Train Botnet

The Raptor Train botnet operates using a three-tiered architecture, enabling sophisticated control and exploitation of compromised devices. The structure is designed to be scalable, allowing attackers to manage large networks of infected IoT devices with ease:

  1. Tier 1: Composed of compromised SOHO/IoT devices such as modems, routers, NAS servers, and IP cameras. These devices have a short lifecycle in the botnet, averaging 17 days.
  2. Tier 2: Includes exploitation servers, payload servers, and C2 servers that handle communication with Tier 1 bots. These servers are globally distributed and last approximately 77 days before being replaced.
  3. Tier 3: Represents the centralized management nodes, which are operated via a cross-platform Electron application known as Sparrow, or Node Comprehensive Control Tool (NCCT). These nodes are primarily located in Hong Kong and China and serve as the backbone for issuing commands to the lower tiers.

Devices Targeted by the Botnet

The Raptor Train botnet has compromised a wide range of devices from leading manufacturers, including:

  • Modems/Routers: ActionTec PK5000, ASUS RT series, TP-LINK, DrayTek Vigor, Zyxel USG, Mikrotik, and more.
  • IP Cameras: D-LINK DCS series, Hikvision, AXIS, Panasonic, and more.
  • NVR/DVR: Shenzhen TVT NVRs/DVRs.
  • NAS Servers: QNAP TS Series, Fujitsu, Synology.

These devices, often poorly secured or running outdated firmware, make attractive targets for attackers to build botnets capable of launching large-scale cyberattacks, such as Distributed Denial of Service (DDoS) attacks.

Attribution to China-Linked APT Group Flax Typhoon

The attribution of Raptor Train to the Flax Typhoon APT group is based on multiple indicators, including:

  • Operational timelines that align with Chinese cyber activity.
  • Targeting of sectors that match Chinese state interests, such as military, government, and telecommunications sectors.
  • The use of the Chinese language in the botnet’s infrastructure.
  • The overlap of tactics, techniques, and procedures (TTPs) with other known Chinese cyber operations.

The botnet has primarily targeted entities in the U.S. and Taiwan, likely in efforts to gather intelligence and possibly prepare for future cyber operations.

A Robust and Evolving Threat

The Raptor Train botnet is controlled via a robust enterprise-grade infrastructure. The Sparrow management tool allows attackers to:

  • Exploit vulnerabilities and manage infected devices.
  • Upload and download files.
  • Execute remote commands.
  • Launch IoT-based DDoS attacks at scale, although researchers have not yet observed the DDoS capability being actively deployed.

According to Lumen’s Black Lotus Labs, the operators of Raptor Train manage this botnet through 60+ C2 servers, utilizing a sophisticated backend system to maintain control and execute attacks across compromised networks.

Implications and Potential Threats

While the Raptor Train botnet has not yet been observed conducting large-scale DDoS attacks, experts warn that this capability could be leveraged in the future. Given the size and scope of the botnet, it has the potential to disrupt critical infrastructure or amplify cyberattacks targeting geopolitical interests.

With many of the compromised devices located in sensitive sectors, such as defense and telecommunications, the botnet could be used for espionage, data theft, or even cyber sabotage. As the botnet evolves, it could become a key tool for state-sponsored cyber warfare operations.

Recommendations for Mitigating the Threat

Organizations and individuals with IoT devices or SOHO equipment should take proactive measures to protect their systems from becoming part of botnets like Raptor Train:

  1. Regularly update firmware: Ensure that all IoT devices, routers, and NAS servers are running the latest firmware to protect against known vulnerabilities.
  2. Use strong credentials: Avoid default passwords and use strong, unique credentials for each device.
  3. Segment networks: Isolate IoT devices from critical networks to limit the spread of botnet infections.
  4. Monitor traffic: Watch for unusual traffic patterns that may indicate communication with command-and-control servers.
  5. Disable unnecessary services: Turn off any services or features that are not being used to minimize attack surfaces.

The discovery of the Raptor Train botnet further highlights the growing threat posed by IoT devices in the cyber domain. With over 200,000 compromised devices globally, this botnet has the potential to carry out massive DDoS attacks and other cyber operations, particularly as it is linked to a China-based APT group. Organizations must remain vigilant and implement strong security practices to protect their infrastructure from this evolving and dangerous threat.

Learn More About CommandLink:
Contact Page

ADDITIONAL

RESOURCES:

Library with dropdown

Schedule a Demo:

Schedule a Demo
22722 29th Drive SE Suite 100 Bothell, WA 98021
Single source platform to design, deploy and manage internet access, SD-WAN, SASE, security, cloud phone systems, & collaboration services in one unified SaaS platform.
Copyright CommandLink. All rights reserved.
apartmentcloudcloud-synccloud-checklocklicenseuserusersspell-checklaptop-phonechart-barsselectthumbs-upchevron-downmovelayers