QUICKLOOK: The Evolution of Chinese Cyber Warfare: Botnet Crazy
Understanding Chinese State-Sponsored Cyber Threats and Botnet Utilization in Electronic Warfare
BLUF:
China’s state-sponsored cyber operations, including groups like Volt Typhoon, Flax Typhoon, with the use of Raptor Train botnet, are increasingly targeting Taiwan and global critical infrastructure through sophisticated botnets (cyber weapons) managed and or supported by indigenous companies like Integrity Technology Group and the PLA. These campaigns, focused on espionage and potential disruption, present a growing cyber threat as tensions rise in Taiwan and the broader geopolitical landscape.
Abstract:
In recent years, China's cyber operations have evolved, leveraging sophisticated botnets such as Raptor Train, linked to Flax Typhoon, to target critical infrastructure worldwide. This Quick Look explores how these operations, managed by indigenous Chinese companies like Integrity Technology Group, have compromised over 260,000 devices globally, focusing heavily on Taiwan. Through strategic frameworks like Integrated Network Electronic Warfare (INEW) and Military-Civil Fusion (MCF), China blends cyber and electronic warfare tactics with technological advances from the civilian sector. These operations, designed for long-term espionage and covert control, highlight the increasing complexity and danger of China’s cyber campaigns. As geopolitical tensions rise, particularly concerning Taiwan, the potential for these botnets to escalate into more destructive attacks remains a critical global security concern.
Introduction
China's cyber operations have expanded significantly in recent years, with state-sponsored groups like Volt Typhoon, Flax Typhoon, and the expansive Raptor Train botnet targeting critical infrastructure across the globe. These operations focus on espionage and disruptive activities, with a growing reliance on indigenous companies like Integrity Technology Group. These companies support the PRC's cyber campaigns by managing vast botnet infrastructures, allowing China to control compromised devices globally while concealing its actions under the guise of legitimate business operations.
The FBI, Cyber National Mission Force (CNMF), and National Security Agency (NSA) have highlighted that these PRC-linked actors are actively compromising small office/home office (SOHO) routers, firewalls, network-attached storage (NAS), and Internet of Things (IoT) devices. These botnets are being leveraged for malicious activities, including distributed denial of service (DDoS) attacks and concealing the identity of cyber intruders. Taiwan, in particular, has been a significant focus of these campaigns, given its geopolitical importance and critical role in global manufacturing and technology.
Strategic Context of Chinese Cyber Operations
China's cyber operations are tightly aligned with its overarching military and strategic objectives. The integration of cyber capabilities into its defense doctrine highlights the importance of non-kinetic means to achieve military and geopolitical goals. Two primary frameworks—Integrated Network Electronic Warfare (INEW) and Military-Civil Fusion (MCF)—form the core of China's strategic approach to leveraging cyber operations in the modern battlefield.
Integrated Network Electronic Warfare (INEW)
Integrated Network Electronic Warfare (INEW) is a key component of China’s military strategy that merges cyber and electronic warfare operations into a unified approach. This doctrine enables China to undermine its adversaries while gaining dominance in the information space, which is essential for achieving strategic superiority. The core objectives of INEW include:
Undermine Adversaries’ C4ISR Systems: INEW aims to disrupt an opponent's Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance (C4ISR) infrastructure. By crippling these systems, China can degrade the enemy's situational awareness, communications, and decision-making abilities, thereby neutralizing military effectiveness without direct physical confrontation.
Achieve Information Dominance: Control over the information spectrum—including cyber and electronic communications—gives China the strategic upper hand in conflicts. This allows Chinese forces to manage the flow of information, manipulate the narrative, and control the pace and outcomes of engagements.
Avoid Direct Kinetic Conflict: A critical goal of INEW is to leverage cyber and electronic warfare capabilities to achieve military objectives without engaging in traditional, kinetic warfare. By targeting digital infrastructure and communication networks, China can weaken opponents, inflict damage on military and civilian targets, and coerce geopolitical gains while avoiding the costs and risks associated with conventional military conflicts.
This combination of offensive cyber operations with electronic warfare capabilities ensures that China can degrade an adversary’s military functions, control critical infrastructures, and protect its own networks, enabling strategic flexibility and asymmetric warfare tactics.
Military-Civil Fusion (MCF)
The Military-Civil Fusion (MCF) strategy is another crucial pillar of China’s approach to cyber and electronic warfare. MCF blurs the lines between civilian and military sectors, promoting the seamless integration of technologies, innovations, and capabilities for both military and non-military purposes. MCF’s objectives in the cyber domain include:
Facilitating Technological Transfers: The MCF initiative facilitates the transfer of cutting-edge civilian technological advancements into military applications, speeding up innovation in areas like artificial intelligence, quantum computing, and cyber capabilities. By utilizing civilian tech breakthroughs, China can enhance its military power without the long development cycles typically seen in defense programs.
Enhancing Intelligence Sharing: MCF promotes strong collaboration between civilian entities (such as tech companies, universities, and research institutions) and military intelligence units. This collaborative structure allows for the pooling of resources, talents, and intelligence across sectors, giving China a more integrated and responsive cyber capability.
Developing Dual-Use Technologies: Dual-use technologies—those that can serve both civilian and military purposes—are key to the success of the MCF strategy. For example, innovations in big data analytics, cloud computing, and 5G telecommunications can be used to bolster China’s domestic economy while simultaneously being adapted for cyber warfare and military intelligence applications.
By leveraging these dual-use technologies, China maximizes the efficiency and reach of its cyber capabilities, giving it strategic advantages across multiple domains. The MCF strategy also ensures that Chinese corporations, including those developing artificial intelligence, cybersecurity tools, and networking infrastructure, can be tapped to support the People’s Liberation Army (PLA) and its cyber campaigns.
Flax Typhoon and Taiwan: Espionage Through Indigenous Platforms
Since its discovery in 2021, Flax Typhoon has demonstrated a targeted focus on Taiwan, with campaigns aimed at government agencies, critical manufacturing, education, and information technology sectors. Microsoft’s investigations have shown a distinctive pattern of malicious activity affecting Taiwanese organizations using living-off-the-land binaries (LOLBins) and tools like China Chopper, Metasploit, and SoftEther VPN. These tools allow Flax Typhoon to remain undetected, operating within target networks without the need to deploy significant amounts of malware.
Flax Typhoon's strategy involves maintaining long-term access to compromised networks without immediately executing final objectives, which suggests a focus on intelligence gathering and espionage. While the group's activities have concentrated on Taiwan, Microsoft warns that these techniques could easily be applied globally, highlighting the need for heightened awareness and vigilance.
Integrity Technology Group's Role in Managing Botnets
The FBI, CNMF, and NSA have revealed that the Integrity Technology Group, a Chinese software company, played a crucial role in managing the infrastructure used by Flax Typhoon and other PRC-linked actors. Integrity Tech used China Unicom Beijing Province Network IP addresses to control botnet operations that primarily targeted Taiwanese and U.S. military, government, and critical infrastructure sectors.
In the search and seizure warrant (case 24-mj-1484), it was confirmed that Integrity Tech was involved in managing a botnet that was used for espionage activities. This infrastructure likely positions itself for potentially disruptive operations during critical geopolitical events, such as a potential invasion of Taiwan. The botnet, comprising over 260,000 compromised devices, represents an ongoing threat to Taiwanese and international targets.
Raptor Train: Expanding China’s Botnet Capabilities
The Raptor Train botnet, uncovered by Lumen Technologies’ Black Lotus Labs in September 2024, represents a significant escalation in China's botnet capabilities. This botnet, linked to Flax Typhoon and managed by Integrity Technology Group, uses a custom Mirai variant called Nosedive to compromise a range of devices globally, including modems, routers, IP cameras, and NAS devices.
The Nosedive malware is a memory-resident variant of Mirai, which complicates detection. Unlike traditional malware, Nosedive does not persist on disk, making it difficult to track and remove from infected systems without a system reboot. The three-tier command-and-control (C2) architecture used by the Raptor Train botnet enables efficient management of infected devices, ensuring continuous access and rapid re-exploitation after devices are cleaned.
At its peak, the Raptor Train botnet contained over 260,000 compromised devices, with most located in North America, Taiwan, and other strategic regions. The vast scale of the botnet and its use of compromised IoT devices makes it a serious threat to global infrastructure, with the potential to be weaponized in large-scale DDoS attacks or covert espionage.
Taiwan at the Epicenter of China’s Espionage Campaign
Taiwan remains a central focus of Flax Typhoon’s espionage efforts, as the group continues to target key sectors for intelligence collection and data exfiltration. According to an Axios report, Flax Typhoon had compromised over 260,000 devices by mid-2024, with many located in Taiwan, further highlighting the geopolitical significance of the region.
While Flax Typhoon is primarily focused on espionage, FBI Director Christopher Wray has warned that the botnets managed by the group could easily pivot to more destructive operations, such as DDoS attacks that could severely disrupt Taiwan’s critical infrastructure during moments of heightened tension.
Recent Activities and Global Targets
In late December 2023, both Raptor Train and Flax Typhoon were observed scanning U.S. military, government, and IT providers for vulnerabilities. This suggests that Chinese state-sponsored actors are extending their espionage campaign beyond Taiwan, with a broader global focus on critical infrastructure sectors in the U.S. and allied nations.
The FBI advisory revealed that Integrity Tech’s botnet operations share infrastructure between Flax Typhoon and Volt Typhoon, further complicating efforts to attribute and combat these coordinated cyber operations. Volt Typhoon, like Flax Typhoon, focuses on stealth and persistence, but also has capabilities aimed at disruption, especially in critical sectors such as energy and telecommunications.
Conclusion
China’s state-sponsored cyber operations, led by groups like Volt Typhoon, Flax Typhoon, and the Raptor Train botnet, are becoming increasingly sophisticated and more challenging to detect. The involvement of indigenous companies like Integrity Technology Group adds a layer of complexity, as these firms play a critical role in managing the infrastructure supporting Chinese cyber operations.
As tensions continue to rise in Taiwan, these botnets present a significant security risk not only to Taiwanese organizations but also to international entities that depend on Taiwan’s critical sectors. International cooperation, along with robust cyber defense measures, will be essential to mitigating the evolving threats posed by Chinese state-sponsored cyber actors.