Four Years Undetected: The IoT Security Lessons from Raptor Train

On September 18, 2024, Black Lotus Labs and the FBI released reports on the Raptor Train botnet. Black Lotus published its analysis of the technical details of the botnet. At the same time, FBI Director Christopher Wray revealed that the Bureau had conducted a joint operation to disrupt the botnet’s operations. 

Raptor Train is unique because at its height the botnet consisted of 260,000 small office/home office (SOHO) and Internet of Things (IoT) devices. This meant that the threat actors behind the botnet, which Black Lotus identified as a Chinese state-sponsored group, controlled numerous IP cameras, network video recorders (NVRs), networked routers, and many more IoT devices. 

The scary reality is this botnet grew and shifted over almost four years without being discovered. Stories like these are indicative of the challenges facing IoT security. It also makes clear how vital a strong security program is to keeping connected devices protected against malicious influence. 

Why Raptor Train is Significant

Raptor Trains is one of the largest botnets in history. According to Black Lotus Labs analysis, the botnet included more than 260,000 IoT devices throughout its four years of operations. At its height around June 2023, around 60,000 connected devices such as small office/home office routers, NVR/DVR devices, network attached storage (NAS) servers, and IP cameras made up the botnet. 

The Chinese nation-state threat actor group known as Flax Typhoon operated the botnet up until the FBI operation to interrupt traffic. One of the command and control domains that Flax Typhoon set up was getting so much web traffic from the botnet at one point that it cracked the list of one million most popular web domains. This is indicative of the potential power that the threat actors had; they have yet to use any portion of the botnet for DDoS attacks, but the possibility is there. 

Flax Typhoon would use the infected machines as needed and cycle through them. All told, around 260,000 connected devices were used throughout the four years since the botnet was initially created. 

This is a monumental accomplishment. Flax Typhoon was able to use the botnet to conduct extensive scanning of military, telecom, government, and defense industry organizations in the United States and Taiwan. Black Lotus didn’t notice any DDoS attacks from the group, but that doesn’t mean Flax Typhoon would not have conducted those operations. 

The reality is that Flax Typhoon could have used its army of infected IoT devices for any number of malicious actions. Just because they didn’t does not understate how comprehensively this group compromised so many devices. 

Protecting IoT Devices Against Compromise

Organizations with extensive IoT estates need to take a comprehensive approach to defend their systems against compromise like Raptor Train. The group behind the attack was able to take ownership of so many devices because of the basic insecurity of most IoT technology. Connected systems are often poorly monitored and poorly maintained, with many manufacturers not focusing on building security into their systems. 

More importantly, many organizations don’t have visibility into the full scope of their IoT architecture. The lack of insight into knowing what’s attached to the network, what its vulnerabilities are, and what its normal behavior is can lead to compromise through something like Raptor Train or even the opening stages of a ransomware attack. 

Security teams need to conduct a comprehensive inventory of their IoT devices to capture information about the connected equipment in their network as the first step. They also need to go beyond conducting this inventory, however, to ensure their overall security. Knowing what’s on a corporate network only partly helps with defense. 

Enterprises also need to: 

Conduct a Risk Analysis of All Connected Devices

A risk analysis is crucial for defending IoT devices. Not every device will have the same impact on the rest of the enterprise if it’s compromised, nor will every vulnerability result in a device takeover. Conducting a risk analysis to understand the the real possibility of a vulnerability being exploited and used to compromise systems based on specific context will ensure that limited resources are deployed accurately.

Performing this risk analysis on each connected IoT landscape ensures that security teams apply the most comprehensive security to the devices with the largest potential impact should they be compromised. This ultimately results in better security through a more efficient allocation of security resources. 

Because not all devices have the same potential impact when compromised, not everything should necessarily get the same level of security monitoring or defenses in place. This is the result of conducting a risk analysis on every discovered IoT device. 

Implement Controls for Configuration Drift

Configuration drift is one of the most significant security issues for IoT devices. It’s very easy for anyone to make configuration changes either maliciously or not that can create potential security problems. Maybe a network technician is seeking to get data from the IoT device, or the manufacturer is making remote upgrades. Either one of those situations could cause configuration drift that may potentially leave organizations open to attack. 

As such, organizations need a solution that can take configuration snapshots and make it easier to take control of changes in device settings that may be potentially dangerous. Integrating a configuration control solution, like the one Asimily provides, into the security strategy ensures that defenders have insight into the last known good state and can quickly revert to that. 

Integrate Behavior Monitoring and Anomaly Detection

Anomalous behavior monitoring is one of the most effective methods of detecting an attack in progress on IoT devices. Every piece of connected equipment has a specific protocol it uses and specific other devices it communicates with. 

Monitoring for anomalous behavior can ensure that security teams are made aware of any changes in the actions of the device. With Raptor Train using their infected devices for scanning, an anomalous behavior monitoring solution may have notified security teams of their IoT device acting irregularly. 

Being alerted of anomalous behavior could have then triggered investigations and helped lock down any problems, interrupting the attack chain and stymying any effort of Flax Typhoon to reach its goals. Anomalous behavior monitoring can also help investigate any potential issues outside of malicious threats, such as a configuration drift that might reduce the security of the device. 

Prevent IoT Attacks and Counter Imminent Threats

IoT devices like the ones that Flax Typhoon compromised remain a security challenge for even the most robust organizations. As more connected devices enter the average organization, the need to defend against device takeovers becomes more acute. Conducting a risk analysis, implementing a configuration control solution, and ensuring anomalous behavior is monitored can and will go a long way toward ensuring overall IoT device defense. 

The reality is that threat actors will continue trying to use IoT devices as botnets, especially given how common these devices are becoming and will continue to be. For that reason, enterprise defenders need to seriously consider all the tools at their disposal and ensure they are properly set up for protecting critical data. By accurately applying the right IoT security strategy, they can ensure that happens. To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.