- A joint advisory from 10 nations warns that Chinese state‑sponsored groups are using large botnets of compromised IoT and SOHO devices.
- These covert networks allow attackers to hide their location, launch DDoS attacks, spread malware, and steal sensitive data at scale.
- Agencies urge organizations to patch devices, enforce strong credentials, and monitor for compromise indicators to reduce exposure.
Most Chinese state-sponsored threat actors are using botnets of compromised IoT and SOHO devices as their cybercriminal infrastructure, a new 10-country joint security advisory is saying.
Earlier this week, security agencies from 10 countries, including the NSA, DOJ, NCSC, and others, published a new paper called “Defending against China-nexus covert networks of compromised devices,” which argues that these groups are using the botnets to steal people’s data, or disrupt activities.
"Anyone who is a target of China-nexus cyber actors may be impacted by the use of covert networks," it says in the report. "The use of covert networks of compromised devices - also known as botnets - to facilitate malicious cyber activity is not new, but China-nexus cyber actors are now using them strategically, and at scale."
Raptor Train
These actors would look for vulnerable, or poorly protected internet-connected devices, such as small office / home office (SOHO) routers, Internet of Things (IoT) devices such as smart TVs, smart cameras, DVRs, and others, and infect them with malware. This malware would give them total control over these devices, which they can later use to hide their location, launch Distributed Denial of Service (DDoS) attacks, deploy more malware, or steal sensitive information.
One of the botnets mentioned in the report is called Raptor Train, which operated more than 200,000 devices worldwide. According to The Register, it was the FBI who previously linked this botnet to a Chinese state-sponsored group called Flax Typhoon.
There is a whole series of “typhoon” groups, such as Salt Typhoon, Brass Typhoon, Volt Typhoon, and others. All of them, it would seem, have been using these botnets in their activities. Volt Typhoon, for example, used outdated Cisco and Netgear routers to establish the KV Botnet.
To defend your endpoints from being infected, the agencies advise keeping them up to date with the latest patches, keeping strong login credentials, and regularly scanning for indicators of compromise.
Via The Register
