The FBI executed a court-authorized operation to neutralize a massive botnet that had hijacked thousands of home and small office routers. FBI Director Christopher Wray announced the disruption of the Flax Typhoon campaign, which investigators attribute to state-sponsored actors working for the People’s Republic of China. The hackers utilized a sophisticated Mirai-based botnet, internally dubbed Raptor Train by researchers at Black Lotus Labs, to establish a covert infrastructure for cyberattacks against critical infrastructure.
According to a report from Black Lotus Labs, the botnet primarily targeted legacy and unpatched devices from manufacturers such as TP-Link, Netgear, Tenda, and MikroTik. At its peak in June 2023, the Raptor Train network consisted of more than 60,000 active bots. The FBI operation involved sending remote commands to the malware on the infected hardware to delete the malicious files and stop the botnet's operation. While this action cleared the immediate threat, the FBI noted that the underlying vulnerabilities in these routers remain unless users update their firmware.
Specific hardware like the TP-Link Archer AX21 was a primary target due to a known vulnerability, CVE-2023-1389, which allows unauthenticated command injection. In a statement released by the Department of Justice, the FBI confirmed that its operation did not affect the routers' legitimate functions or collect user data. Instead, the agents interacted only with the malware's command-and-control interface to break the hackers' hold on the devices.
The disruption of Flax Typhoon follows a similar operation earlier this year against the Volt Typhoon botnet, which targeted outdated Cisco and Netgear routers. Microsoft first identified Flax Typhoon in 2023, noting that the group focused on long-term persistence within target networks. Security researchers at Black Lotus Labs observed that the botnet's Tier 1 layer consisted entirely of SOHO devices and Internet of Things hardware.
Owners of hardware like the TP-Link Archer AX21 or similar older networking gear are advised to check for the latest firmware releases or replace devices that have reached end-of-life status. As state-sponsored actors continue to exploit consumer-grade hardware to mask their traffic, the federal government is expected to increase its use of active sinkholing and remote remediation strategies.
