Michael Horka
Lilac Typhoon Aboard the Indigo Train – The Current State of Chinese Obfuscation Networks
For more than four years, Black Lotus Labs, the threat intelligence division of Lumen Technologies, has monitored Chinese state-sponsored threat actor Lilac Typhoon’s intrusion operations against U.S. and Taiwan government, military, critical infrastructure, and communications sectors through an evolving covert network of compromised SOHO and IOT devices. Historically, Lilac Typhoon conducted their intrusion operations, including 0-day exploitation, through an array of compromised modems and routers we dubbed “Silverfox.” Jumping forward to present day, Silverfox has evolved into what we now call ‘Indigo Train’: a series of “malwareless,” elusive, geographically distributed, and chained operational nodes, consisting of hijacked SOHO and IOT devices. The structure of this chaining methodology mirrors what we have observed from an associated threat actor, indicating a likely shift to enhance operational security over the past few years by Chinese state-sponsored threat actors.
This talk will start by outlining the early stages of the Silverfox covert network and briefly discuss historical exploitation activity we observed. Next, we will show how the network has evolved into what we call Indigo Train, and how we track the device chaining methodology used by Lilac Typhoon to conduct exploitation activity through this network. Then, we will dive into what types of edge devices and systems we have observed targeted through this network and in what sectors. Lastly, we will discuss why we anticipate this type of network to be indicative of increased operational security from Chinese threat actors, how this impacts the future of Chinese obfuscation networks, and why this type of network presents significant challenges for network defenders, threat intelligence companies and the intelligence community at large.
Michael Horka is a Principal Information Security Engineer at Black Lotus Labs, the threat research division of Lumen Technologies. He is responsible for covert network, botnet and advanced actor tracking and intelligence. He has over a decade of experience performing threat analysis and reporting on nation-state campaigns, most notably as a Special Agent with the FBI’s Houston Field Office.
