China-nexus threat groups like Volt Typhoon and Flax Typhoon over the past few years have built multiple large botnets from compromised consumer devices and are using them in their attacks for their cyber espionage efforts and intrusions into critical infrastructure environments, according to U.S. and security agencies from other countries.

In an advisory issued by CISA, the agencies said the China-linked actors are transitioning away from dedicated infrastructure to so-called “covert networks” comprising compromised small-office, home office (SOHO), Internet of Things (IoT), and smart devices that are constantly updated.

“The use of covert networks of compromised devices – also known as botnets – to facilitate malicious cyber activity is not new, but China-nexus cyber actors are now using them strategically, and at scale,” CISA wrote in the advisory, which also included security agencies from such countries as Australia, Germany, Japan, and Spain. “Covert networks are used to connect across the internet in a low-cost, low-risk, deniable way, disguising the origin and attribution of malicious activity.”

Indeed, such botnets have been used for years by financially motivated bad actors for a broad range of activities, from distributed denial-of-service (DDoS) and credential attacks to spam and phishing campaigns and malware distribution.

Now state-sponsored threat groups linked to China and its intelligence agencies are using them for every part of their operations, from running scans for reconnaissance and delivering and communicating with malware to exfiltrating stolen data.

Evading Detection

“They can also be used for general deniable internet browsing, allowing threat actors to research exploitation techniques, new TTPs [tactics, techniques and procedures], and their victims without attribution,” CISA wrote. “Some covert networks are also used by legitimate customers to browse the internet, making it challenging to attribute malicious activity.”

CISA noted that Volt Typhoon, which two years ago was found to have infiltrated the networks of critical infrastructure companies in such sectors as communications and energy, has used covert networks and that Flax Typhoon used a different botnet to run cyber espionage campaigns.

The covert networks are created and maintained by information security companies in China, according to the security agencies. They pointed to Raptor Train, a botnet controlled and managed by Chinese company Integrity Technology Group and comprising more than 200,000 infected devices. The FBI also said the company was involved in a computer-intrusion campaign by Flax Typhoon.

Edge Devices Targeted

Most of the botnets are made up of SOHO network routers, but other vulnerable devices are included as well. CISA pointed to Raptor Train as an example, noting that along with the routers, it consisted of such IoT devices as web cameras and video recorders, along with firewalls and network-attached storage (NAS) devices. Another covert network, KV Botnet, used by Volt Typhoon, primarily comprised vulnerable routers from Cisco and NetGear.

“The edge devices were vulnerable because they were ‘end of life’ – out of date and no longer receiving updates or security patches by their manufacturers,” CISA wrote.

The embrace by China-nexus groups for such botnets isn’t surprising, but organizations need to take note, said Bradley Smith, senior vice president and deputy CISO for security firm BeyondTrust.

“The shift CISA is describing, from individually procured infrastructure to externally provisioned networks of compromised devices, has been visible to practitioners tracking China-nexus operations at the network layer for years,” Smith said. “The scale and the degree of operational specialization behind it have changed.”

Ensure IoT Device Security

The fact that so many IoT devices are being compromised and used in the covert networks is a sign that enterprises are being lax in ensuring the security of the devices, which are widely used present in organizations, according to John Gallagher, vice president of Viakoo Labs, the research arm of security firm Viakoo, who added that the shift from using them to steal data to comprising operational technology environment is expanding.

“It would be trivializing the issue to view it as SOHO and consumer IoT devices; it’s all IoT devices, especially those used inside an enterprise,” Gallagher said. “That’s why this CISA advisory specifically called out best practices for large and ‘the largest’ organizations. The advantage operators of botnet armies gain from compromising enterprise routers, cameras, NAS drives, and other forms of IoT is that they are approved members of that network, and can use the privileges and credentials of the host organization to go undetected.”

He said that “threat actors aren’t just hacking your IoT cameras or routers to steal their data; they are using them as proxies to route attack traffic through a ‘clean’ IP address of a localized IoT device, and establish a position of control within the network. By hiding within an enterprise, they can bypass geographical IP filtering and behavior-based detection that usually flags traffic from foreign adversary nations.”