Office of Public Affairs | Court-Authorized Operation Disrupts Worldwide Botnet Used by People’s Republic of China State-Sponsored Hackers | United States Department of Justice
Snip from the article:
The Justice Department today announced a court-authorized law enforcement operation that disrupted a botnet consisting of more than 200,000 consumer devices in the United States and worldwide. As described in court documents unsealed in the Western District of Pennsylvania, the botnet devices were infected by People’s Republic of China (PRC) state-sponsored hackers working for Integrity Technology Group, a company based in Beijing, and known to the private sector as “Flax Typhoon.”
The botnet malware infected numerous types of consumer devices, including small-office/home-office (SOHO) routers, internet protocol (IP) cameras, digital video recorders (DVRs), and network-attached storage (NAS) devices. The malware connected these thousands of infected devices into a botnet, controlled by Integrity Technology Group, which was used to conduct malicious cyber activity disguised as routine internet traffic from the infected consumer devices. The court-authorized operation took control of the hackers’ computer infrastructure and, among other steps, sent disabling commands through that infrastructure to the malware on the infected devices. During the course of the operation, there was an attempt to interfere with the FBI’s remediation efforts through a distributed denial-of-service (DDoS) attack targeting the operational infrastructure that the FBI was utilizing to effectuate the court’s orders. That attack was ultimately unsuccessful in preventing the FBI’s disruption of the botnet.
FBI's letter can be found here:
240918.pdf (ic3.gov)
And, important info:
The botnet uses the Mirai family of malware, designed to hijack IoT devices such as webcams, DVRs, IP cameras, and routers running Linux-based operating systems. The Mirai source code was posted publicly on the Internet in 2016, resulting in other hackers creating their own botnets based on the malware. Since that time, various Mirai botnets have been used to conduct DDoS and other malicious activities against victim entities within the U.S. The investigated botnet’s customized Mirai malware is a component of a system that automates the compromise of a variety of devices. To recruit a new “bot,” the botnet system first compromises an Internet-connected device using one of a variety of known vulnerability exploits (see Appendix B: Observed CVEs).
Post-compromise, the victim device executes a Mirai-based malware payload from a remote server. Once executed, the payload starts processes on the device to establish a connection with a command-andcontrol (C2) server using Transport Layer Security (TLS) on port 443. The processes gather system information from the infected device, including but not limited to the operating system version and processor, memory and bandwidth details to send to the C2 server for enumeration purposes. The malware also makes requests to “c.speedtest.net,” likely to gather additional Internet connection details. Some malware payloads were self-deleting to evade detection.
Excellent article on it here:
In mid-2023, Black Lotus Labs began an investigation into compromised routers that led to the discovery of a large, multi-tiered botnet consisting of small office/home office (SOHO) and IoT devices that we assess is likely operated by the nation-state Chinese threat actors known as Flax Typhoon. We call this botnet “Raptor Train,” and it has been over four years in the making.
At its peak in June 2023, the Raptor Train botnet consisted of over 60,000 actively compromised devices. Since that time, there have been more than 200,000 SOHO routers, NVR/DVR devices, network attached storage (NAS) servers, and IP cameras; all conscripted into the Raptor Train botnet, making it one of the largest Chinese state-sponsored IoT botnets discovered to-date. In fact, a command and control (C2) domain in the most recent campaign cracked both the Cloudflare Radar and Cisco Umbrella “top 1 million” popularity lists. Based on the recent scale of device exploitation, we suspect hundreds of thousands of devices have been entangled by this network since its formation in May 2020.
And their list of impacted devices:
- • Modems/Routers
- ActionTec PK5000
- ASUS RT-*/GT-*/ZenWifi
- TP-LINK
- DrayTek Vigor
- Tenda Wireless
- Ruijie
- Zyxel USG*
- Ruckus Wireless
- VNPT iGate
- Mikrotik
- TOTOLINK
- IP Cameras
- D-LINK DCS-*
- Hikvision
- Mobotix
- NUUO
- AXIS
- Panasonic
- NAS
- QNAP (TS Series)
- Fujitsu
- Synology
- Zyxel
If you own one of the above branded pieces of equipment, check the manufacturer's website for updated firmware. If you suspect it has been compromised, a full factory reset and firmware recovery is probably the only option to ensure code remnants don't persist.
