How cybercrime syndicates are evolving and fueling large-scale botnet threats

Takeaways

• CISA and the NCSC-UK have issued a joint advisory highlighting the rise of covert botnet networks, particularly fueled by China-based cybercrime syndicates.
• Cybercriminal groups are shifting from individually managed infrastructure to leveraging large-scale networks of compromised devices, making attacks harder to trace and more massive in scale.
• Notable threat actors like Volt Typhoon and Flax Typhoon are increasingly using professionally maintained, covert botnet networks, often managed by Chinese information security companies.
• Botnets are expanding rapidly by exploiting both consumer and corporate devices, enabling more powerful distributed denial of service (DDoS) attacks and other threats.

What the joint advisory says

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory that highlights a broad shift on the part of cybercriminal syndicates based in China toward covert networks. These networks make it more challenging to identify the source of attacks and enable larger-scale attacks.

Released jointly with the National Cyber Security Centre in the United Kingdom (NCSC-UK) in collaboration with the UK Cyber League, the report details how cybercriminal syndicates are shifting away from individually procured infrastructure in favor of large-scale networks of compromised devices that are used to create massive botnets.

Who is using these networks

The NCSC said its analysts believe that the majority of China-nexus threat actors such as Volt Typhoon and Flax Typhoon are now using these covert networks. In fact, the report suggests threat actors are sharing these covert networks that are now being professionally maintained on their behalf.

Specifically, the report alleges covert botnets are being maintained by providers of information security services based in China. For example, a Raptor Train botnet, which in 2024 infected more than 200,000 devices worldwide, was controlled and managed by the Integrity Technology Group headquartered in China, according to the report. The Federal Bureau of Investigation (FBI) in the U.S. has separately determined the same company is responsible for the computer intrusion activities attributed to the Flax Typhoon syndicate.

The fact that cybercriminal syndicates are leveraging both insecure consumer and corporate devices to create botnets is hardly new, but the level of scale of the botnets being created continues to increase rapidly as, for example, distributed denial of service (DDoS) attacks continue to expand. Cybercriminal syndicates are not going to invest in the infrastructure needed to launch cyberattacks at scale, especially when other resources are now freely available.

How to mitigate botnet risks

The only way to effectively thwart those efforts is for organizations to first map their network devices to better understand how exposed they are to the internet. At a minimum, those devices should be connected to virtual private networks (VPNs) or other similar services to enforce more granular IP address allow policies versus relying on deny lists, the advisory noted.

Additionally, the advisory recommends implementing zero-trust policies for connections, requiring machine certificates for Secure Sockets Layer (SSL) connections and applying  machine learning techniques to profile normal network edge activity to better identify anomalous behavior.

Finally, cybersecurity teams are also advised to consider using threat intelligence feeds to track China-nexus covert networks as a type of advanced persistent threat (APT) that require specific measures to thwart.

Hopefully, there will come a day when consumer-grade devices are not as easy to harness into a botnet as they are today. In the meantime, however, cybersecurity teams should assume that botnets are only going to continue to increase in size as more insecure devices that are easily compromised are connected to the internet with each passing day.