7JUN

Sixteen agencies put IOC extinction in print

3 min read

10:08UTC

On 23 April, sixteen national cyber agencies named Flax Typhoon and Integrity Technology Group as operators of Raptor Train and KV Botnet, formally accepting that indicators vanish faster than blocklists ingest them.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Sixteen agencies signed off that blocklists are losing the race; defenders need dwell-time metrics.

Sixteen national cyber agencies co-signed a joint advisory naming Flax Typhoon and Integrity Technology Group as the operators of two China-nexus covert networks: Raptor Train, at over 200,000 infected SOHO routers, and the KV Botnet used by Volt Typhoon for US critical national infrastructure pre-positioning ¹. Integrity Technology Group was sanctioned by OFAC in December last year; the joint advisory delivers the first co-signed public attribution of its operational role. Signatories include NCSC, CISA, the NSA, FBI, German BSI, Dutch AIVD, Japan's NCO, Australia's ASD and Canada's CSE among others, the broadest public attribution gesture of the year to date.

The document tells operators in printed form what the Salt Typhoon caseload and the Volt Typhoon CNI assessments had implied since BRICKSTORM: indicators of compromise (the IP addresses, file hashes and signatures defenders feed into blocklists) now disappear as fast as analysts can publish them. The advisory's exact wording, anchored by NCSC, treats indicator-based filtering as a secondary control rather than a primary one. Targets named in the document span energy, healthcare, transport, digital infrastructure and government across the participating jurisdictions.

NCSC and CISA are asking security operations Teams to retire the dynamic threat-feed filtering metric and replace it with a dwell-time metric: how long an attacker stays undetected inside the network. That reframes the whole detection-engineering investment cycle. Behind it sits the same NCSC attribution muscle that produced the APT28 advisory in March; ahead of it sits a pressure track on SOC tooling vendors to surface dwell metrics by default and a sanctions surface that previously sat behind classified boundaries.

Deep Analysis

In plain English

Defenders track hackers using lists of known bad addresses and digital signatures, similar to a security watchlist at an airport. Chinese state-linked hackers have figured out that if they route their attacks through hundreds of thousands of ordinary home routers scattered across the world, the watchlist becomes useless: by the time security teams publish a new bad address, the hackers have already moved to a different router. Sixteen national security agencies signed a document saying publicly that this approach no longer works as the primary defence.

Deep Analysis

Root Causes

Indicator-based defence relies on the assumption that attacker infrastructure (IP addresses, domain names, file hashes) persists long enough for defenders to ingest and act on published lists.

China-nexus actors operating through 200,000-node SOHO router botnets rotate infrastructure at the speed of the bot fleet's IP assignments, which turns over continuously as residential and small-office devices cycle DHCP leases. The defender receives a published indicator that was accurate when analysts wrote it but is already stale when blocklist operators import it.

The structural root cause is an asymmetry of cost: rotating a compromised SOHO node's IP address costs the attacker nothing (the node simply cycles to the next infected device in the pool), while updating a blocklist, distributing it to every enforcement point, and verifying that enforcement points have actually applied the update costs the defender real operational time at every cycle.

Escalation

The advisory represents a formal institutional escalation of the defender posture question: it moves from treating IOC-based defence as supplementary to stating in co-signed print that it fails as a primary control. The sixteen-signature count and the named contractor attribution together raise the geopolitical cost of continued Raptor Train and KV Botnet operation.

What could happen next?

Consequence
SOC tooling vendors face board-level pressure to add dwell-time KPIs and SOHO-device traffic baselining to their default product dashboards within the next product cycle.
Short term · 0.8
Risk
Organisations in energy, healthcare, transport and government sectors named in the advisory face elevated targeting risk as Flax Typhoon-linked actors may increase operational tempo ahead of anticipated enforcement actions.
Short term · 0.75
Precedent
The Integrity Technology Group naming establishes a template for attributing Chinese state-backed cyber operations to named private contractors rather than to state organs, with downstream implications for WTO and bilateral trade leverage.
Medium term · 0.7
Opportunity
Network security vendors offering SOHO device monitoring, traffic baselining and botnet egress detection gain a direct sales narrative from a sixteen-agency advisory confirming the attack class is active.
Immediate · 0.85

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2017 WannaCry and NotPetya attribution sequence established the multilateral joint-attribution template: the UK, US, Australia, Canada, and New Zealand co-signed a statement attributing WannaCry to North Korea within months of the attack.

The Flax Typhoon advisory repeats that template but extends the coalition to sixteen agencies and pre-emptively names the private contractor rather than the state, a significant evolution. WannaCry attribution took seven months after the attack; the Integrity Technology Group naming follows the December 2025 sanction by roughly five months, suggesting the attribution-to-designation pipeline is shortening.

Counter-parallel: The 2021 Microsoft Exchange HAFNIUM attribution was also multi-partner (US, EU, NATO, Australia, Japan), but the exchange of attribution statements into enforcement actions stalled: no individual Chinese nationals were sanctioned at the time of attribution, and HAFNIUM's infrastructure continued operating.

Whether the Integrity Technology Group sanction produces material enforcement (asset freeze, correspondent bank action) distinguishes this advisory from HAFNIUM's paper-enforcement precedent.

Consensus view: Atlantic Council's Cyber Statecraft Initiative characterises the sixteen-agency advisory as the most significant multilateral attribution event of 2026: the formal co-signing of an IOC-extinction admission by agencies including AIVD, BSI, Japan's NCO, and Australia's ASD signals that Western signals intelligence partnerships have reached institutional consensus on the inadequacy of indicator-based defence.

CSIS's Strategic Technologies Program notes that naming Integrity Technology Group, a privately held Beijing contractor sanctioned in December 2025, alongside a tradecraft description of its botnet operations, creates a sanctions-enforcement surface that previously sat behind classification restrictions.

Counter-view: MERICS (Mercator Institute for China Studies) cautions that corporate attribution of Chinese state-backed activity to named contractors systematically overstates the organisational coherence of Beijing's cyber programme.

Chinese offensive cyber operations use a contractor ecosystem with fluid personnel overlap across Teams; attributing Raptor Train to Integrity Technology Group as an operator does not imply a command chain comparable to a Western signals agency, and enforcement actions premised on that framing may misfire.

Key tension: Whether the advisory's IOC-extinction framing will prompt SOC tooling vendors to pivot their product roadmaps toward dwell-time metrics quickly enough to match the political pressure the sixteen-signature document will generate from boards and regulators.

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

NCSC UK· 30 Apr 2026

Read original →

Causes and effects

Caused by

FBI: Salt Typhoon still very much live

16-agency advisory extends prior Salt/Volt Typhoon coverage by formalising IOC-extinction and naming Integrity Technology Group as the named operator behind Raptor Train and KV Botnet.

Occurred 1 Feb 2026

Read story →

OFAC turns IP law on Operation Zero

The 16-agency advisory directly advances the Salt/Volt Typhoon coverage in ID:2551 by naming specific infrastructure operators and botnets.

Occurred 15 Apr 2026

Read story →

CISA deadline for PAN-OS RCE lands four days early

CISA's tightening KEV deadline cadence applied to CVE-2026-0300 is the continuation of the multi-agency deadline-enforcement doctrine named in the sixteen-agency IOC extinction advisory.

Occurred 6 May 2026

Read story →

UAT-8616 keeps Cisco SD-WAN under fire

UAT-8616's ORB infrastructure overlaps with Flax Typhoon and Integrity Technology Group named in the sixteen-agency joint advisory of 23 April 2026.

Occurred 14 May 2026

Read story →

This Event

Sixteen agencies put IOC extinction in print

Coordinated public attribution at this scale repositions indicator-based defence as a secondary control and surfaces a sanctions track against named contractors.

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.