Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
8MAY

Sixteen agencies put IOC extinction in print

3 min read
10:57UTC

On 23 April, sixteen national cyber agencies named Flax Typhoon and Integrity Technology Group as operators of Raptor Train and KV Botnet, formally accepting that indicators vanish faster than blocklists ingest them.

TechnologyDeveloping
Key takeaway

Sixteen agencies signed off that blocklists are losing the race; defenders need dwell-time metrics.

Sixteen national cyber agencies co-signed a joint advisory naming Flax Typhoon and Integrity Technology Group as the operators of two China-nexus covert networks: Raptor Train, at over 200,000 infected SOHO routers, and the KV Botnet used by Volt Typhoon for US critical national infrastructure pre-positioning 1. Integrity Technology Group was sanctioned by OFAC in December last year; the joint advisory delivers the first co-signed public attribution of its operational role. Signatories include NCSC, CISA, the NSA, FBI, German BSI, Dutch AIVD, Japan's NCO, Australia's ASD and Canada's CSE among others, the broadest public attribution gesture of the year to date.

The document tells operators in printed form what the Salt Typhoon caseload and the Volt Typhoon CNI assessments had implied since BRICKSTORM: indicators of compromise (the IP addresses, file hashes and signatures defenders feed into blocklists) now disappear as fast as analysts can publish them. The advisory's exact wording, anchored by NCSC, treats indicator-based filtering as a secondary control rather than a primary one. Targets named in the document span energy, healthcare, transport, digital infrastructure and government across the participating jurisdictions.

NCSC and CISA are asking security operations Teams to retire the dynamic threat-feed filtering metric and replace it with a dwell-time metric: how long an attacker stays undetected inside the network. That reframes the whole detection-engineering investment cycle. Behind it sits the same NCSC attribution muscle that produced the APT28 advisory in March; ahead of it sits a pressure track on SOC tooling vendors to surface dwell metrics by default and a sanctions surface that previously sat behind classified boundaries.

Deep Analysis

In plain English

Defenders track hackers using lists of known bad addresses and digital signatures, similar to a security watchlist at an airport. Chinese state-linked hackers have figured out that if they route their attacks through hundreds of thousands of ordinary home routers scattered across the world, the watchlist becomes useless: by the time security teams publish a new bad address, the hackers have already moved to a different router. Sixteen national security agencies signed a document saying publicly that this approach no longer works as the primary defence.

Deep Analysis
Root Causes

Indicator-based defence relies on the assumption that attacker infrastructure (IP addresses, domain names, file hashes) persists long enough for defenders to ingest and act on published lists.

China-nexus actors operating through 200,000-node SOHO router botnets rotate infrastructure at the speed of the bot fleet's IP assignments, which turns over continuously as residential and small-office devices cycle DHCP leases. The defender receives a published indicator that was accurate when analysts wrote it but is already stale when blocklist operators import it.

The structural root cause is an asymmetry of cost: rotating a compromised SOHO node's IP address costs the attacker nothing (the node simply cycles to the next infected device in the pool), while updating a blocklist, distributing it to every enforcement point, and verifying that enforcement points have actually applied the update costs the defender real operational time at every cycle.

Escalation

The advisory represents a formal institutional escalation of the defender posture question: it moves from treating IOC-based defence as supplementary to stating in co-signed print that it fails as a primary control. The sixteen-signature count and the named contractor attribution together raise the geopolitical cost of continued Raptor Train and KV Botnet operation.

What could happen next?
  • Consequence

    SOC tooling vendors face board-level pressure to add dwell-time KPIs and SOHO-device traffic baselining to their default product dashboards within the next product cycle.

    Short term · 0.8
  • Risk

    Organisations in energy, healthcare, transport and government sectors named in the advisory face elevated targeting risk as Flax Typhoon-linked actors may increase operational tempo ahead of anticipated enforcement actions.

    Short term · 0.75
  • Precedent

    The Integrity Technology Group naming establishes a template for attributing Chinese state-backed cyber operations to named private contractors rather than to state organs, with downstream implications for WTO and bilateral trade leverage.

    Medium term · 0.7
  • Opportunity

    Network security vendors offering SOHO device monitoring, traffic baselining and botnet egress detection gain a direct sales narrative from a sixteen-agency advisory confirming the attack class is active.

    Immediate · 0.85
First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

NCSC UK· 30 Apr 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.