30APR

Sixteen agencies put IOC extinction in print

3 min read

08:16UTC

On 23 April, sixteen national cyber agencies named Flax Typhoon and Integrity Technology Group as operators of Raptor Train and KV Botnet, formally accepting that indicators vanish faster than blocklists ingest them.

← Back to FIRESTARTER puts Cisco below the patch line Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Sixteen agencies signed off that blocklists are losing the race; defenders need dwell-time metrics.

Sixteen national cyber agencies co-signed a joint advisory naming Flax Typhoon and Integrity Technology Group as the operators of two China-nexus covert networks: Raptor Train, at over 200,000 infected SOHO routers, and the KV Botnet used by Volt Typhoon for US critical national infrastructure pre-positioning ¹. Integrity Technology Group was sanctioned by OFAC in December last year; the joint advisory delivers the first co-signed public attribution of its operational role. Signatories include NCSC, CISA, the NSA, FBI, German BSI, Dutch AIVD, Japan's NCO, Australia's ASD and Canada's CSE among others, the broadest public attribution gesture of the year to date.

The document tells operators in printed form what the Salt Typhoon caseload and the Volt Typhoon CNI assessments had implied since BRICKSTORM: indicators of compromise (the IP addresses, file hashes and signatures defenders feed into blocklists) now disappear as fast as analysts can publish them. The advisory's exact wording, anchored by NCSC, treats indicator-based filtering as a secondary control rather than a primary one. Targets named in the document span energy, healthcare, transport, digital infrastructure and government across the participating jurisdictions.

NCSC and CISA are asking security operations Teams to retire the dynamic threat-feed filtering metric and replace it with a dwell-time metric: how long an attacker stays undetected inside the network. That reframes the whole detection-engineering investment cycle. Behind it sits the same NCSC attribution muscle that produced the APT28 advisory in March; ahead of it sits a pressure track on SOC tooling vendors to surface dwell metrics by default and a sanctions surface that previously sat behind classified boundaries.

Deep Analysis

In plain English

Defenders track hackers using lists of known bad addresses and digital signatures, similar to a security watchlist at an airport. Chinese state-linked hackers have figured out that if they route their attacks through hundreds of thousands of ordinary home routers scattered across the world, the watchlist becomes useless: by the time security teams publish a new bad address, the hackers have already moved to a different router. Sixteen national security agencies signed a document saying publicly that this approach no longer works as the primary defence.

Deep Analysis

Root Causes

Indicator-based defence relies on the assumption that attacker infrastructure (IP addresses, domain names, file hashes) persists long enough for defenders to ingest and act on published lists.

China-nexus actors operating through 200,000-node SOHO router botnets rotate infrastructure at the speed of the bot fleet's IP assignments, which turns over continuously as residential and small-office devices cycle DHCP leases. The defender receives a published indicator that was accurate when analysts wrote it but is already stale when blocklist operators import it.

The structural root cause is an asymmetry of cost: rotating a compromised SOHO node's IP address costs the attacker nothing (the node simply cycles to the next infected device in the pool), while updating a blocklist, distributing it to every enforcement point, and verifying that enforcement points have actually applied the update costs the defender real operational time at every cycle.

Escalation

The advisory represents a formal institutional escalation of the defender posture question: it moves from treating IOC-based defence as supplementary to stating in co-signed print that it fails as a primary control. The sixteen-signature count and the named contractor attribution together raise the geopolitical cost of continued Raptor Train and KV Botnet operation.

What could happen next?

Consequence
SOC tooling vendors face board-level pressure to add dwell-time KPIs and SOHO-device traffic baselining to their default product dashboards within the next product cycle.
Short term · 0.8
Risk
Organisations in energy, healthcare, transport and government sectors named in the advisory face elevated targeting risk as Flax Typhoon-linked actors may increase operational tempo ahead of anticipated enforcement actions.
Short term · 0.75
Precedent
The Integrity Technology Group naming establishes a template for attributing Chinese state-backed cyber operations to named private contractors rather than to state organs, with downstream implications for WTO and bilateral trade leverage.
Medium term · 0.7
Opportunity
Network security vendors offering SOHO device monitoring, traffic baselining and botnet egress detection gain a direct sales narrative from a sixteen-agency advisory confirming the attack class is active.
Immediate · 0.85

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2017 WannaCry and NotPetya attribution sequence established the multilateral joint-attribution template: the UK, US, Australia, Canada, and New Zealand co-signed a statement attributing WannaCry to North Korea within months of the attack.

The Flax Typhoon advisory repeats that template but extends the coalition to sixteen agencies and pre-emptively names the private contractor rather than the state, a significant evolution. WannaCry attribution took seven months after the attack; the Integrity Technology Group naming follows the December 2025 sanction by roughly five months, suggesting the attribution-to-designation pipeline is shortening.

Counter-parallel: The 2021 Microsoft Exchange HAFNIUM attribution was also multi-partner (US, EU, NATO, Australia, Japan), but the exchange of attribution statements into enforcement actions stalled: no individual Chinese nationals were sanctioned at the time of attribution, and HAFNIUM's infrastructure continued operating.

Whether the Integrity Technology Group sanction produces material enforcement (asset freeze, correspondent bank action) distinguishes this advisory from HAFNIUM's paper-enforcement precedent.

Consensus view: Atlantic Council's Cyber Statecraft Initiative characterises the sixteen-agency advisory as the most significant multilateral attribution event of 2026: the formal co-signing of an IOC-extinction admission by agencies including AIVD, BSI, Japan's NCO, and Australia's ASD signals that Western signals intelligence partnerships have reached institutional consensus on the inadequacy of indicator-based defence.

CSIS's Strategic Technologies Program notes that naming Integrity Technology Group, a privately held Beijing contractor sanctioned in December 2025, alongside a tradecraft description of its botnet operations, creates a sanctions-enforcement surface that previously sat behind classification restrictions.

Counter-view: MERICS (Mercator Institute for China Studies) cautions that corporate attribution of Chinese state-backed activity to named contractors systematically overstates the organisational coherence of Beijing's cyber programme.

Chinese offensive cyber operations use a contractor ecosystem with fluid personnel overlap across Teams; attributing Raptor Train to Integrity Technology Group as an operator does not imply a command chain comparable to a Western signals agency, and enforcement actions premised on that framing may misfire.

Key tension: Whether the advisory's IOC-extinction framing will prompt SOC tooling vendors to pivot their product roadmaps toward dwell-time metrics quickly enough to match the political pressure the sixteen-signature document will generate from boards and regulators.

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

NCSC UK· 30 Apr 2026

Read original →

Causes and effects

Caused by

FBI: Salt Typhoon still very much live

16-agency advisory extends prior Salt/Volt Typhoon coverage by formalising IOC-extinction and naming Integrity Technology Group as the named operator behind Raptor Train and KV Botnet.

Occurred 1 Feb 2026

Read story →

OFAC turns IP law on Operation Zero

The 16-agency advisory directly advances the Salt/Volt Typhoon coverage in ID:2551 by naming specific infrastructure operators and botnets.

Occurred 15 Apr 2026

Read story →

CISA deadline for PAN-OS RCE lands four days early

CISA's tightening KEV deadline cadence applied to CVE-2026-0300 is the continuation of the multi-agency deadline-enforcement doctrine named in the sixteen-agency IOC extinction advisory.

Occurred 6 May 2026

Read story →

This Event

Sixteen agencies put IOC extinction in print

Coordinated public attribution at this scale repositions indicator-based defence as a secondary control and surfaces a sanctions track against named contractors.

Different Perspectives

Norwegian Security and Service Organisation

NSSO was a prior victim of Ivanti EPMM zero-days and now faces CVE-2026-6973 in the same product line. Ivanti's position that on-premises EPMM is the only affected tier provides limited reassurance to a government body that has already been compromised twice via the same vendor's MDM infrastructure.

ENISA and EU CNA Ecosystem

ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May, expanding EU-sovereign vulnerability disclosure infrastructure in the same week three critical CVEs entered the CISA KEV catalogue. Greater CNA coverage inside the EU reduces dependence on US-anchored MITRE for European-sourced vulnerability identifiers.

German Federal Office for Information Security (BSI)

BSI rated CVE-2026-41940 in cPanel 'very high', reflecting Germany's exposure across shared-hosting infrastructure for Mittelstand businesses. The 65-day zero-day window and the amplification effect of cPanel's multi-tenancy model mean the BSI rating applies to thousands of German SME websites hosted on affected servers.

Republic of Korea National Intelligence Service

South Korea's NIS tracks UNC1069's tooling evolution; the CSIS paper argues the ROK's intelligence on DPRK cyber operations should feed joint US-ROK situational awareness rather than bilateral channels that move too slowly for real-time supply-chain response.

Democratic People's Republic of Korea

UNC1069's Axios operation scales North Korea's supply-chain access from niche Python packages to the most downloaded HTTP client in the JavaScript ecosystem. WAVESHAPER.V2 provides persistent access to development environments where cryptocurrency wallets and API keys are stored, serving the sanctions-evasion funding logic behind earlier DPRK toolchain operations.

WatchTowr Labs

WatchTowr Labs disclosed CVE-2026-41940 after the 28 April patch shipped, providing the 65-day exploitation timeline from KnownHost telemetry. The disclosure is textbook; the open question is why WebPros did not catch the cpsrvd CRLF class flaw before external researchers found it under active exploitation.