# FBI Disassembles Vast Chinese State-Sponsored Botnet: Raptor Train
In a notable achievement for cybersecurity, the FBI has effectively dismantled a vast botnet referred to as **Raptor Train**, which had been utilized by Chinese state-sponsored hackers for more than four years. This botnet aimed at a diverse array of entities, including government bodies, telecommunications firms, defense contractors, and other essential infrastructure in the United States and Taiwan. This operation represents a significant advancement in the persistent conflict against state-sponsored cyber intrusions, especially those emanating from China.
## The Extent of the Botnet
Raptor Train was mainly constituted of compromised **Internet of Things (IoT)** devices, such as small office and home routers, surveillance cameras, and network-attached storage (NAS) devices. Over the past four years, over **260,000 devices** cycled through the botnet, with **60,000 devices** active at its zenith in June 2023, as per researchers from **Black Lotus Labs**. This categorizes Raptor Train as the largest botnet connected to the Chinese state ever uncovered.
The structure of the botnet was organized into a **three-tier framework** that enabled it to function with exceptional efficiency and accuracy. The affected devices were distributed worldwide, with more than half situated in North America and another 25% in Europe.
## A Second Major Seizure in 2024
Raptor Train is the second botnet associated with the Chinese state that the FBI has disassembled in 2024. Earlier this year, the FBI took down another botnet linked to a Chinese hacking faction named **Volt Typhoon**. Similar to Raptor Train, Volt Typhoon leveraged compromised IoT devices to initiate assaults on vital infrastructure. These botnets pose a particular threat as they utilize IP addresses from trusted devices, enabling them to circumvent numerous network security measures.
The **Chinese hackers** responsible for Raptor Train are affiliated with a group identified as **Flax Typhoon**, which has connections to **Integrity Technology Group**, a China-based entity associated with the **People’s Republic of China**. The company deployed state-controlled IP addresses from **China Unicom Beijing Province Network** to oversee the botnet.
## FBI’s Action to Dismantle Raptor Train
The FBI’s campaign against Raptor Train consisted of **court-sanctioned operations** that permitted law enforcement to seize control of the botnet’s infrastructure. This involved identifying compromised devices and issuing covert commands to cleanse them from the malware. FBI Director **Christopher Wray** stated that when the hackers acknowledged that their botnet was being dismantled, they sought to migrate their bots to new servers and even executed a **Distributed Denial of Service (DDoS)** attack against the FBI. Nevertheless, the FBI and its allies swiftly managed the attack and pinpointed the new infrastructure, compelling the hackers to relinquish their botnet.
## The Framework of Raptor Train
Raptor Train’s intricate structure facilitated its operation on a vast scale. The botnet was structured into three tiers:
1. **Tier 1**: This tier was composed of compromised IoT devices like routers, IP cameras, and NAS devices. These gadgets were infected with a specific malware known as **Nosedive**, which is based on **Mirai**, a infamous IoT malware responsible for unprecedented DDoS attacks in 2016. Many of the compromised devices were at the end of their operational life, meaning they no longer received security updates, rendering them easy prey for exploitation. The FBI identified more than **70 vulnerabilities** that were exploited to compromise these devices from 2019 to 2024.
2. **Tier 2**: This tier consisted of virtual servers that acted as **command-and-control (C2)** servers for the Tier 1 devices. These servers transmitted exploits and payloads to the infected devices and maintained communication using a distinctive URL encoding method and domain injection technique. The number of Tier 2 nodes steadily increased over the years, reaching **60 nodes** by August 2024.
3. **Tier 3**: This tier included a limited number of **management nodes** operating specialized software named **Sparrow**. These nodes enabled the Flax Typhoon hackers to manually control the Tier 2 nodes and gather intelligence from the botnet. Interactions between Tier 2 and Tier 3 typically occurred during Chinese business hours, signifying the participation of state-sponsored actors.
## Attacking Critical Infrastructure
The botnet was primarily intended to target critical infrastructure in the US and Taiwan, encompassing **military, governmental, telecommunications, defense industrial base (DIB)**, and **higher education** sectors. In late 2023, the botnet operators engaged in extensive scanning operations aimed at US military and governmental systems, in addition to IT service providers and DIBs. They also targeted vulnerable software, such as **Atlassian Confluence** servers and **Ivanti Connect Secure** appliances, leveraging known
