In a major cyber operation, the U.S. Justice Department announced the successful takedown of a botnet controlled by People’s Republic of China (PRC) state-sponsored hackers.
The botnet, dubbed “Raptor Train” by Black Lotus Labs, spanned over 200,000 devices globally. It was linked to hackers working for Integrity Technology Group, a Beijing-based company known in cybersecurity circles as “Flax Typhoon.”
It infected various consumer devices like home routers, IP cameras, and DVRs, forming a network that hackers used for malicious activities disguised as normal internet traffic. In response, U.S. authorities launched a court-authorized operation, effectively neutralizing the botnet by sending disabling commands to infected devices. Despite an attempt to block the FBI’s efforts through a Distributed Denial of Service (DDoS) attack, the operation was successful.
Countering Threats to National Security
Attorney General Merrick Garland condemned the actions of the PRC-backed hackers, emphasizing the Justice Department’s ongoing commitment to countering threats to national security. Deputy Attorney General Lisa Monaco echoed this, stressing that the operation demonstrates the U.S. government’s determination to protect Americans from cyber threats.
FBI Deputy Director Paul Abbate lauded the agency’s international collaboration, which led to the disruption of the botnet infrastructure.
The botnet was first identified in July last year and has been used by Flax Typhoon hackers to target government, academic, and critical infrastructure entities globally. Microsoft Threat Intelligence confirmed these findings, noting Flax Typhoon’s activities since 2021.
In a coordinated effort, the FBI and cybersecurity agencies from several countries, including Australia, Canada, and the UK, released a comprehensive advisory on the tactics used by Integrity Technology Group and provided remediation guidelines for affected users.
The report said: These efforts would not have been successful without the collaboration of partners, including French authorities, Lumen Technologies’ threat intelligence group, and Black Lotus Labs.
Safeguarding Our Collective Security
“I cannot understate how important Ryan and his team at Black Lotus are to safeguarding our collective security. Kudos to Lumen for being transparent,” commented Evan Dornbush, a former NSA cybersecurity expert.
He said the reason this threat actor goes after SOHO devices like SOHO routers and DVRs and IP cameras is because the owner/operator is neither technical nor interested.
“Network threat detection—inaccessible for most users—is critical. Forward-leaning ISPs and telecom companies that can advance the reach of network detection and response should be praised for sharing their findings and allowing big action, such as a botnet takedown, to happen.”
Dornbush says that by disrupting the bad actor’s operations, Black Lotus has made it more expensive and difficult for them to carry out future attacks. “Making attacks more costly is a critical and often overlooked aspect to protecting our digital infrastructure.”
Victim Outreach and Prevention
The FBI is reaching out to U.S. victims through internet service providers to alert them about compromised devices. They have also encouraged individuals to report any suspected breaches through the FBI’s Internet Crime Complaint Center (IC3) or the Cybersecurity and Infrastructure Security Agency (CISA).
This operation marks the second successful disruption of a China-sponsored botnet by U.S. authorities this year, reinforcing their resolve to dismantle malicious cyber networks threatening global cybersecurity.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.