A large network of routers and other devices infected by malware controlled by Chinese hackers also has nodes in Spain, according to a document published this Wednesday by the FBI in which it warns of all types of IoT devices that may have been compromised on the network.
A botnet called “Raptor Train” has infected more than 260,000 network devices over several years, mainly in the United States and Taiwan, but also in other countries including Spain, with an attack rate of 0.8%.
Botnets are networks of computers or other computing devices infected by malware, which can be controlled remotely by an attacker to steal data, launch cyberattacks, or for other purposes.
Over the course of about four years, starting in May 2020 and first being discovered in 2023, Raptor Train has evolved into a vast, multi-tiered network with a complex control system, infecting a large number of SOHO routers and other consumer devices such as modems, NVRs and DVRs, IP cameras, and Network Attached Storage (NAS) servers. SOHO (Small Office/Home Office) routers are the common routers typically used in homes or small offices.
Primarily targeting the United States, the botnet has been used to attack military, government, higher education and telecommunications targets. Cybersecurity researchers believe that at its peak, the botnet was able to control more than 60,000 devices simultaneously, having affected more than 200,000 devices since 2020.
In this context, the American FBI published this Wednesday a document The FBI has published a report on the threat, including a graph showing the number of nodes of this network detected in different countries. A total of 19 countries appear on the list, and Spain is in last place with the lowest number of nodes detected, around 2,000, which would be equivalent to 0.8% of the entire botnet. Across Europe, the FBI believes there are 65,600 infected devices in total.
After infecting the devices, “the actors can then use the botnet as a proxy to hide their identities while launching distributed denial of service (DDoS) attacks or compromising targeted US networks,” the FBI warns. The attackers are believed to be hackers linked to the Chinese government.
By continent, the most affected are, in this order: North America, Europe, Asia, Africa, Oceania and South America. By processor architecture, the most affected are x86 and MIPS devices.
Tips to mitigate the threat
The FBI has recommended seven practices to mitigate the threats posed by adversaries attempting to use botnets for malicious activities. “The following guidance applies both to preventing IoT devices from becoming part of a botnet, and to defending networks from botnets that are already in operation,” the US security service says. These are:
- Disable unused services and ports
- Implement network segmentation
- Monitor high network traffic
- Apply patches and updates
- Change default passwords
- Schedule device reboots
- Replacing obsolete equipment
The management servers from which the botnet is controlled host an application known as “Sparrow,” which allows users to interact with
the network of infected devices, the FBI said. The actors used specific IP addresses registered with China Unicom Beijing Province Network to access the app.
