China-nexus cyber actors' are turning routers and IoT infrastructure into covert botnets 'at scale' – NCSC, Five Eyes, and others warn of campaign involving Typhoon-designated groups

News
By published

The botnets are used to hide locations

Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
(Image credit: Getty Images)
  • A joint advisory from 10 nations warns that Chinese state‑sponsored groups are using large botnets of compromised IoT and SOHO devices.
  • These covert networks allow attackers to hide their location, launch DDoS attacks, spread malware, and steal sensitive data at scale.
  • Agencies urge organizations to patch devices, enforce strong credentials, and monitor for compromise indicators to reduce exposure.

Most Chinese state-sponsored threat actors are using botnets of compromised IoT and SOHO devices as their cybercriminal infrastructure, a new 10-country joint security advisory is saying.

Earlier this week, security agencies from 10 countries, including the NSA, DOJ, NCSC, and others, published a new paper called “Defending against China-nexus covert networks of compromised devices,” which argues that these groups are using the botnets to steal people’s data, or disrupt activities.

"Anyone who is a target of China-nexus cyber actors may be impacted by the use of covert networks," it says in the report. "The use of covert networks of compromised devices - also known as botnets - to facilitate malicious cyber activity is not new, but China-nexus cyber actors are now using them strategically, and at scale."

Article continues below

Raptor Train

These actors would look for vulnerable, or poorly protected internet-connected devices, such as small office / home office (SOHO) routers, Internet of Things (IoT) devices such as smart TVs, smart cameras, DVRs, and others, and infect them with malware. This malware would give them total control over these devices, which they can later use to hide their location, launch Distributed Denial of Service (DDoS) attacks, deploy more malware, or steal sensitive information.

One of the botnets mentioned in the report is called Raptor Train, which operated more than 200,000 devices worldwide. According to The Register, it was the FBI who previously linked this botnet to a Chinese state-sponsored group called Flax Typhoon.

There is a whole series of “typhoon” groups, such as Salt Typhoon, Brass Typhoon, Volt Typhoon, and others. All of them, it would seem, have been using these botnets in their activities. Volt Typhoon, for example, used outdated Cisco and Netgear routers to establish the KV Botnet.

To defend your endpoints from being infected, the agencies advise keeping them up to date with the latest patches, keeping strong login credentials, and regularly scanning for indicators of compromise.

Via The Register

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.