A massive botnet created by a China-linked threat group that was four years in the making and comprised hundreds of thousands of Internet of Things (IoT) and other connected devices in the United States and other countries was disrupted last week by federal law enforcement agencies and cybersecurity firms.

The botnet created by the group Flax Typhoon, dubbed “Raptor Train” by Lumen’s Black Lotus Labs threat intelligence group, targeted critical infrastructure operations as well as corporations, media organizations, universities, and government agencies, FBI Director Christopher Wray said during a talk at a cybersecurity conference in Washington DC Wednesday, according to Reuters.

Wray reportedly added that once the operation to disrupt the botnet got underway, the botnet operators tried to move their bots to new server and even targeted the agencies with a DDoS attack.

Flax Typhoon took control of internet-connected devices like small office/home office (SOHO) routers, firewalls, network-attached storage (NAS), and IoT devices to create a botnet that could be used for a number of nefarious activities, including distributed denial-of-services (DDoS) attacks, compromising networks, and deploying malware, according to joint advisory issued by the FBI, National Security Agency (NSA), and other U.S. and international law enforcement agencies.

The primary payload was a customized variant of the notorious Mirai malware, which has been around since 2016 and used to create botnets from connected devices. The Mirai source code was open sourced a year later by the alleged author of the malware after it was used to launch a huge DDoS attack.

A Large IoT Botnet

Black Lotus researchers wrote that Raptor Train has become “one of the largest Chinese state-sponsored IoT botnets discovered to-date. … Based on the recent scale of device exploitation, we suspect hundreds of thousands of devices have been entangled by this network since its formation in May 2020.”

Flax Typhoon is the latest threat group linked to China that has targeted networks and systems in the United States. In February, the FBI, CISA, and others warned that the Volt Typhoon gang had successfully compromised the IT environments of critical infrastructure firms in such sectors as communications, energy, transportation, and water and wastewater systems.

Volt Typhoon had been in some of these networks for as long as five years, essentially prepositioning itself to disrupt operations if conflicted between the United States and China broke out.

Likewise, the Black Lotus analysts wrote that while they had “yet to see any DDoS attacks originating from Raptor Train, we suspect this is an ability the China-based operators preserve for future use.”

Still, there has been some activity from the network targeting organizations in the military, government, higher education, telecommunications, IT, and defense industrial base areas in the United States and Taiwan. In addition, possible exploitation attempts of Atlassian Confluence servers and Ivanti Connect Secure applications from nodes linked to the botnet have been seen.

Microsoft analysts also said last month that they had seen Flax Typhoon targeting dozens of Taiwanese organizations in attacks likely meant for cyberespionage operations, maintaining “long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks.”

FBI Points Finger at Chinese Company

The FBI in the advisory said that since 2021, the Integrity Technology Group, a Chinese company that law enforcement said has links to the country’s government, has been actively managing the botnet via China Unicom Beijing Province Network IP addresses.

The same IP addresses were used to access other operational infrastructure in campaigns aimed at U.S. companies. The activities in these attacks were consistent with tactics used by Flax Typhoon, according to the FBI.

At its largest last year, the botnet consisted of more than 60,000 active devices, though since then at least 200,000 devices – SOHO outers, network video recorder (NVR) and digital video recorder (DVR) devices, NAS servers, and IP cameras – have run though the botnet, according to Black Lotus.

Managing the Large Botnet

The threat group managed the multiple-tier botnet through dozens of command-and-control (C2) servers, a centralized Node.js back, and a front end that featured a cross-platform Electron application that the bad actors called “Sparrow,” according to the researchers.

“This is a robust, enterprise-grade control system used to manage upwards of 60 C2 servers and their infected nodes at any given time,” they wrote.

The law enforcement agencies said the management servers used a MySQL database to store information that included more than 1.2 million records of compromised devices, including more than 385,000 victim devices in the United States that had either been previously and actively exploited to include in the botnet.

According to numbers from the FBI, 47.9% of the devices that have made up the botnet were in the United States. Vietnam was the next country on the list, with 8% of the devices. Almost all of the devices – 89.2% – were powered by x86 processors, with the rest spread across MIPS, Arm, x86_64, and MIPSEL chip architectures.