Thousands of everyday devices have been unknowingly turned into digital weapons. Behind this infiltration, a group of hackers.
The group Flax Typhoon, believed by experts to be backed by Beijing, orchestrated a malicious network by exploiting common devices like routers and cameras. This cyberattack, which has gained global scale, has been named Raptor Train.
Since May 2020, this network is suspected to have been used to monitor various targets, including critical infrastructures, governments, and technology companies. Many compromised devices, primarily located in the United States, could have been used for larger-scale attacks.
The FBI, with the help of international partners, has taken steps to counter this threat. They managed to disable malware on 260,000 devices. By June 2023, this botnet had the ability to control up to 60,000 devices simultaneously.
The Raptor Train network exploits security vulnerabilities in connected devices that are often left without updates, making them ideal targets for cybercriminals. The attack, though sophisticated, is based on a simple principle: hijacking consumer devices to turn them into tools for cyber espionage.
This operation also shed light on the alleged role of the Chinese company Integrity Technology Group, based in Beijing. This company is suspected of providing the infrastructure necessary for Flax Typhoon, notably through its KRLab software.
According to cybersecurity experts, this botnet could potentially be used to launch DDoS (Distributed Denial of Service) attacks, aiming to overwhelm servers with massive traffic. Although this threat has not yet materialized, it remains a concern for the future.
China, for its part, has firmly denied these accusations. U.S. authorities continue to closely monitor the evolution of this malicious network. International cooperation remains crucial to strengthen cybersecurity against these global threats.
It should be noted that similar precedents have involved other countries besides China, highlighting the complexity of global cybersecurity. In 2010, the Stuxnet virus, attributed to a collaboration between the United States and Israel, sabotaged nuclear centrifuges in Iran.
More recently, in 2016, Russian hackers infiltrated the servers of the U.S. Democratic National Committee in an attempt to influence the U.S. presidential election.
These incidents illustrate how various governments exploit digital technologies to achieve strategic objectives, going beyond simple cybercrime. And as one might suspect, the most effective attacks are those that have never been detected.
How is a botnet formed?
A botnet is formed when hackers exploit security vulnerabilities in internet-connected devices. These flaws allow the installation of malware that turns these devices into "bots," i.e., machines under their control, without users noticing.
Once infected, these devices become parts of a coordinated network. Hackers can then use this group of devices for various attacks. The botnet can grow exponentially by infecting more and more devices, thus increasing its disruptive power.
Is France affected by this attack? Are our home devices at risk?
Yes, France is affected by this cyberattack. According to the FBI's investigation and research conducted by Black Lotus Labs, more than 5,000 devices in France were infected by the Raptor Train botnet, representing about 2% of global infections. These devices may include routers, IP cameras, digital video recorders (DVR), or network storage systems (NAS), often used in homes or small businesses.
Your home equipment could be at risk if it's connected to the internet, especially if it uses devices that haven't received recent security updates. Outdated or poorly secured devices are prime targets for hackers exploiting vulnerabilities. It is therefore recommended to:
- Regularly update connected devices (routers, cameras, etc.)
- Replace devices that no longer receive technical support
- Regularly restart these devices to disrupt potential infections
These precautions help limit the risk of intrusion, although they do not guarantee complete protection against this type of sophisticated attack. In general, this type of attack is difficult for users to identify, as devices continue to function normally while secretly being exploited by cybercriminals.
What are the hackers' objectives?
The hackers behind attacks like the Raptor Train botnet have multiple objectives. Here is a non-exhaustive list:
- Collect sensitive information: They spy on infected devices to obtain confidential data from governments, companies, and individuals. This information can be used for cyber espionage or sold.
- Launch massive cyberattacks: By controlling infected devices, hackers can carry out distributed denial of service (DDoS) attacks, overloading servers or websites to make them inaccessible.
- Infiltrate critical infrastructures: They target sensitive infrastructures, such as military, government, or industrial installations. The aim is often to disrupt or compromise these vital systems.
- Create backdoors for future attacks: By maintaining long-term access, hackers can use these devices as relay points for other cyberattacks, without the victims being aware.
Thus, these hackers seek to achieve strategic gains by spying, disrupting, or preparing the ground for future operations.
Article author: Cédric DEPOND