Russian botnet disrupted in international cyber operation | USAO-SDCA

Assistant U.S. Attorney Jonathan I. Shapiro (619) 546-8225


SAN DIEGO — The U.S. Department of Justice, working with law enforcement partners in Germany, the Netherlands, and the United Kingdom, has taken down the infrastructure of a Russian botnet known as from RSOCKS that has hacked into millions of computers and other electronic devices worldwide.

A botnet is a group of hacked Internet-connected devices that are controlled as a group without the knowledge of the owner and typically used for malicious purposes. Every device connected to the Internet is assigned an Internet Protocol (IP) address.

According to a search warrant affidavit, unsealed today in the Southern District of California, and the operators’ own claims, the RSOCKS botnet, operated by Russian cybercriminals, included millions of hacked devices worldwide. The RSOCKS botnet initially targeted Internet of Things (IoT) devices. IoT devices include a wide range of devices, including industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers, which are connected to the Internet and can communicate via Internet, and therefore are assigned an IP address. addresses. The RSOCKS botnet has spread by compromising other types of devices, including Android devices and conventional computers.

“The RSOCKS botnet has compromised millions of devices around the world,” said US attorney Randy Grossman. “Cybercriminals will not escape justice no matter where they operate. Working with public and private partners around the world, we will pursue them relentlessly while using every tool at our disposal to foil their threats and prosecute those responsible. Grossman thanked the prosecution team, the FBI, and the Computer Crimes and Intellectual Property Section of the Justice Department’s Criminal Division for their excellent work on this case.

“This operation disrupted a highly sophisticated Russia-based cybercrime organization that has conducted cyber intrusions in the United States and abroad,” said FBI Special Agent in Charge Stacey Moy. “Our fight against cybercriminal platforms is an essential part of ensuring cybersecurity and safety in the United States. The actions we are announcing today demonstrate the FBI’s continued commitment to prosecuting threatening foreign actors in collaboration with our international and private sector partners.

A legitimate proxy service provides IP addresses to its customers for a fee. Typically, the proxy service provides access to IP addresses that it leases to Internet Service Providers (ISPs). Rather than offering proxies that RSOCKS had rented, the RSOCKS botnet offered its customers access to IP addresses assigned to devices that had been hacked. The owners of these devices have not authorized the RSOCKS operator(s) to access their devices in order to use their IP addresses and route internet traffic. A cybercriminal who wanted to use the RSOCKS platform could use a web browser to access a web-based “storefront” (that’s to say, a public website that allows users to purchase access to the botnet), which allowed the customer to pay to rent access to a pool of proxies for a specified daily, weekly, or monthly period. The cost of accessing an RSOCKS proxy pool ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.

Once purchased, the customer can download a list of IP addresses and ports associated with one or more botnet backend servers. The client could then route malicious internet traffic through the compromised victim devices to obscure or mask the true source of the traffic. It is believed that users of this type of proxy service were carrying out large-scale attacks on authentication services, also known as credential stuffing, and anonymizing themselves when accessing compromised social media accounts or sending malicious emails, such as phishing messages.

As alleged in the unsealed warrant, FBI investigators used undercover purchases to gain access to the RSOCKS botnet to identify its core infrastructure and victims. The initial undercover purchase in early 2017 identified approximately 325,000 compromised victim devices worldwide with many devices located in San Diego County. Through analysis of the victim devices, investigators determined that the RSOCKS botnet compromised the victim device by conducting brute force attacks. The main RSOCKS servers maintained a persistent connection with the compromised device. Several large public and private entities fell victim to the RSOCKS botnet, including a university, hotel, television studio, and electronics manufacturer, as well as home-based businesses and individuals. At three of the victim sites, with their consent, investigators replaced the compromised devices with government-controlled computers (i.e. honeypots), and all three were later compromised by RSOCKS. The FBI has identified at least six victims in San Diego.

This case has been investigated by the FBI and is being prosecuted by Assistant U.S. Attorney Jonathan I. Shapiro of the Southern District of California and Ryan KJ Dickey, senior attorney for the Computer Crimes and Intellectual Property Section of the Criminal Division of the Department of Justice. The Department of Justice expresses its gratitude to authorities in Germany, the Netherlands, and the United Kingdom, the Office of International Affairs of the Department of Justice, and the private sector cybersecurity firm Black Echo, LLC for their assistance throughout the investigation. .

In September 2020, FBI Director Christopher Wray announced the FBI’s new strategy to combat cyber threats. The strategy focuses on imposing risk and consequence on cyber adversaries through the FBI’s unique authorities, world-class capabilities, and enduring partnerships. Victims are encouraged to report the incident online with the Internet Crime Complaint Center (IC3)

Source link