A significant cybersecurity threat has been uncovered by researchers, with the detection of a large Chinese state-sponsored IoT botnet named “Raptor Train,” which had infiltrated more than 200,000 SOHO and IoT devices. This botnet, operated by Flax Typhoon, employed a sophisticated control system known as “Sparrow” to manage its vast network, posing a grave danger to various sectors, including military, government, and IT.
The “Raptor Train” botnet was structured as a three-tiered network controlled by the “Sparrow” management nodes. The compromised SOHO/IoT devices in Tier 1 were infected with a custom Mirai variant called “Nosedive” through exploitation and payload servers in Tier 2. The C2 servers in Tier 2 coordinated the bot activities, while Tier 3 management nodes oversaw the entire operation.
To avoid detection, the Nosedive implants were designed to be memory-resident only and utilized anti-forensic techniques, making it challenging to identify and investigate the compromised devices. Attackers targeted a wide range of SOHO and IoT devices, including routers, cameras, and NAS devices, to form a massive botnet in Tier 1 susceptible to both known and unknown vulnerabilities, acting as nodes constantly communicating with central command and control (C2) servers.
The vast number of vulnerable devices online allowed attackers to easily replace compromised devices without implementing persistent mechanisms, ensuring a continuous supply of nodes for their operations. Tier 2 consisted of virtual servers controlling compromised devices and delivering malicious payloads, with specific servers for general attacks and targeted attacks with obfuscated exploits using TLS certificates for communication.
Further investigation revealed that Tier 3 management nodes, known as Sparrow nodes, oversaw the operations of the botnet, facilitating manual and automatic management of Tier 2 nodes. These Sparrow nodes provided a comprehensive web-based interface for botnet operators to execute commands, upload/download files, collect data, and initiate DDoS attacks.
The Raptor Train botnet, which has been active since May 2020, evolved its tactics over four campaigns targeting SOHO and IoT devices using a Mirai-based malware called Nosedive. The botnet operators, likely Chinese state-sponsored actors, have targeted critical infrastructure in the US, Taiwan, and other countries, according to reports.
With the intricate structure and sophisticated management system of the Raptor Train botnet, cybersecurity experts are working diligently to mitigate the threat posed by this state-sponsored IoT botnet. The continuous evolution and adaptability of such malicious entities highlight the ongoing battle faced by organizations in securing their networks and devices from cyberattacks.