A new botnet named Raptor Train [1], likely operated by a Chinese nation-state threat actor called Flax Typhoon [1], has been discovered by cybersecurity researchers in mid-2023 [1].
Description
The botnet comprises over 200,000 compromised SOHO routers [2], NVR/DVR devices [2], NAS servers [1] [2], and IP cameras [2], making it one of the largest Chinese state-sponsored IoT botnets [1]. It operates on a three-tiered architecture [1], targeting devices from various manufacturers such as ActionTec [1], ASUS [1], Hikvision [1], and Shenzhen TVT [1]. The majority of infected nodes are geolocated in the US [1], Taiwan [1] [2], Vietnam [1], Brazil [1], Hong Kong [1], and Turkey [1]. The botnet uses an in-memory implant called Nosedive [1], a custom variant of the Mirai botnet [1], to execute commands [1], upload and download files [1], and mount DDoS attacks [1]. Linked to four different campaigns since mid-2020 [1], the botnet has not yet been used for DDoS attacks [1], but evidence suggests it has been weaponized to target entities in various sectors [1].
Conclusion
The discovery of the Raptor Train botnet poses significant cybersecurity risks, particularly for entities in the military, government [1] [2], higher education [1], telecommunications [1] [2], defense industrial base [1], and IT sectors [1]. Mitigating these risks will require enhanced security measures and vigilance. The implications of this botnet highlight the ongoing threat posed by state-sponsored cyber actors and the need for continued efforts to strengthen cybersecurity defenses.
References
[1] https://thehackernews.com/2024/09/new-raptor-train-iot-botnet-compromises.html
[2] https://blog.lumen.com/derailing-the-raptor-train/
