International Law Enforcement Group Wrecks Russian Botnet

The United States Department of Justice, together with law enforcement partners in Germany, the Netherlands and the United Kingdom, have dismantled the infrastructure of a Russian botnet known as RSOCKS which hacked millions of computers and other electronic devices around the world. The word botnet is a blend of the words “robot” and “network.” A botnet is a network of computers running bots under the control of a bot herder. Bots are software applications that run automated scripts without the owner’s knowledge and are typically used for malicious purposes. Every device that is connected to the internet is assigned an Internet Protocol (IP) address.  An IP address is a unique address that identifies a device on the internet like your smart refrigerator, your security cameras, your smartphone or a local network. 

A legitimate proxy service provides IP addresses to its clients for a fee. A proxy server is a system or router that provides a gateway between users and the internet. Therefore, it helps prevent cyber attackers from entering a private network. It is a server, referred to as an “intermediary” because it goes between end-users and the web pages they visit online. When a computer connects to the internet, it uses an IP address. This is similar to your home’s street address, telling incoming data where to go and marking outgoing data with a return address for other devices to authenticate. A proxy server is essentially a computer on the internet that has an IP address of its own.

 Typically, the proxy service provides access to IP addresses that it leases from internet service providers (ISPs). Rather than offer proxies that RSOCKS had leased, the RSOCKS botnet offered its clients access to IP addresses assigned to devices that had been hacked. The owners of these devices did not give the RSOCKS operator(s) authority to access their devices in order to use their IP addresses and route internet traffic. A cybercriminal who wanted to utilize the RSOCKS platform could use a web browser to navigate to a web-based “storefront” (i.e., a public website that allows users to purchase access to the botnet), which allowed the customer to pay to rent access to a pool of proxies for a specified daily, weekly, or monthly time period. The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.

According to documents unsealed yesterday in the Southern District of California,  the RSOCKS botnet, operated by Russian cybercriminals, comprised millions of hacked devices worldwide. The RSOCKS botnet initially targeted Internet of Things (IoT) devices.  Today, more and more devices are being connected to one another and not necessarily to people. The result is the growing Internet of Things, which includes millions of devices, from smart thermostats and security cameras to industrial sensors and medical equipment. It even includes things like the AI-fueled cameras helping to keep autonomous vehicles patrolling our streets safely and securely. The RSOCKS botnet compromised a number of  devices, including Android devices and conventional computers.

Once purchased, the customer could download a list of IP addresses and ports associated with one or more of the botnet’s backend servers. The customer could then route malicious internet traffic through the compromised victim devices to mask or hide the true source of the traffic. It is believed that the users of this type of proxy service were conducting large scale attacks against authentication services, also known as credential stuffing, and anonymizing themselves when accessing compromised social media accounts, or sending malicious email, such as phishing messages.

“The RSOCKS botnet compromised millions of devices throughout the world,” according to U.S. Attorney Randy Grossman. “This operation disrupted a highly sophisticated Russia-based cybercrime organization that conducted cyber intrusions in the United States and abroad,” said FBI Special Agent in Charge Stacey Moy. “

The, FBI investigators used undercover purchases to obtain access to the RSOCKS botnet in order to identify its backend infrastructure and its victims. The initial undercover purchase in early 2017 identified approximately 325,000 compromised victim devices throughout the world with numerous devices located within San Diego County. Through analysis of the victim devices, investigators determined that the RSOCKS botnet compromised the victim device by conducting brute force attacks. The RSOCKS backend servers maintained a persistent connection to the compromised device. Several large public and private entities have been victims of the RSOCKS botnet, including a university, a hotel, a television studio, and an electronics manufacturer, as well as home businesses and individuals. At three of the victim locations, with consent, investigators replaced the compromised devices with government-controlled computers (i.e., honeypots), and all three were subsequently compromised by RSOCKS. The FBI identified at least six victims in San Diego.