The FBI successfully dismantled a large botnet that affected more than 1.2 million IoT devices worldwide, around 10% of which were in Germany. The botnet, called Raptor Train, was taken down by the US Department of Justice after a court ruling. The action taken here was to cut off IP traffic to the botnet's payload servers, infrastructure, and command and control (C2) servers. The botnet was closed following the takeover of certain infrastructures by the FBI.
In mid-2023, Black Lotus Labs, a division of Lumen Technologies, discovered the IoT botnet and notified the police. According to FBI reports, Integrity Technology Group, a Chinese company was responsible for operating the botnet. Leading companies including Microsoft and CrowdStrike have linked the initiative to Chinese state-sponsored hacking collective Flax Typhoon.
Integrity Technology Group acquired more than 260,000 routers, cameras and network access points (NAS) worldwide in June, including around 19,000 in Germany. Devices from a number of well-known manufacturers, such as Asus, DrayTek, Hikvision and TP-Link, were targeted by the botnet. The compromised devices were not made possible by zero-day vulnerabilities, but rather by known flaws that many manufacturers are still patching with security updates. The compromised devices were controlled by sophisticated infrastructure.
The operation of the botnet had three layers. The number of active bots varied because the malware on infected machines, called level 1, was limited to memory and would not survive a reboot. Typically, compromised devices were part of the botnet for approximately 17 days. It infected around 1.2 million devices in its four years of existence. Black Lotus Labs has named the malware used in the botnet as Nosedive. It is based on the famous Mirai code and is compatible with ARM and x86 hardware architectures.
The main goal of the botnet was to target US and Taiwanese institutions in education, telecommunications, government and the military. The C2 servers that ran the botnet were partially inaccessible to the researchers, but despite this, they noticed advanced characteristics that would have indicated the possibility of DDoS attacks, but no such attacks were verified. Investigators believe the botnet was used to carry out attacks against high-end hardware and software systems from companies including Cisco, IBM and Ivanti, taking advantage of weaknesses in those products and hiding behind hacked IoT devices.
Learn more about Cyber Security in our Cyber Security Bootcamp.