US Government and Allies Disrupt Massive Russian BotnetBotnet Targets IoT and Android Devices, Industrial Control Systems and Computers
The U.S. Department of Justice said on Thursday that, together with law enforcement partners in Germany, the Netherlands and the United Kingdom, it has dismantled the infrastructure of a massive Russian botnet known as RSOCKS, which hacked millions of computers and other electronic devices around the world.
Every device connected to the internet is assigned an IP address, and RSOCKS is a proxy service that provides IP addresses to its clients for a fee. It leases IP addresses from internet service providers or ISPs.
Rather than offering proxies that RSOCKS had leased, the RSOCKS botnet offered its clients access to IP addresses assigned to devices that had been hacked. The owners of these devices did not give the RSOCKS operators authority to access their devices to use their IP addresses and route internet traffic.
Cybercriminals wanting to use the RSOCKS platform could navigate via web browser to a web-based "storefront" - a public website that allows users to purchase access to the botnet, which allowed the criminal to pay and rent access to a pool of proxies for a specified daily, weekly or monthly time period.
The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.
Once purchased, the criminal could download a list of IP addresses and ports associated with one or more of the botnet's back-end servers. The criminal could then route malicious internet traffic through the compromised victim devices to mask or hide the true source of the traffic.
It is believed that the users of this type of proxy service were conducting large-scale attacks against authentication services, also known as credential stuffing, and anonymizing themselves when accessing compromised social media accounts or sending malicious email, such as phishing messages.
According to a search warrant affidavit unsealed Thursday in the Southern District of California, and the operators own claims, the RSOCKS botnet initially targeted IoT devices that include industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers - which are all connected to and can communicate over the internet and therefore are assigned IP addresses.
The RSOCKS botnet expanded into compromising additional types of devices, including Android devices and conventional computers.
As alleged in the unsealed warrant, FBI investigators used undercover purchases to obtain access to the RSOCKS botnet to identify its back-end infrastructure and victims. The initial undercover purchase in early 2017 identified approximately 325,000 compromised victim devices throughout the world, and numerous devices were located within San Diego County.
Through analysis of the victim devices, investigators determined that the RSOCKS botnet had compromised the victim devices by conducting brute force attacks. The RSOCKS back-end servers maintained a persistent connection to the compromised devices.
Several large public and private entities have been victims of the RSOCKS botnet, including a university, a hotel, a television studio and an electronics manufacturer, as well as home businesses and individuals. At three of the victim locations, with consent, investigators replaced the compromised devices with government-controlled computers - i.e., honeypots, and all three were subsequently compromised by RSOCKS. The FBI identified at least six victims in San Diego.
U.S. Attorney Randy Grossman says the RSOCKS botnet compromised millions of devices globally. "Cybercriminals will not escape justice regardless of where they operate. Working with public and private partners around the globe, we will relentlessly pursue them while using all the tools at our disposal to disrupt their threats and prosecute those responsible," Grossman says.
He acknowledged the work on this case by the FBI and the Department of Justice Criminal Division's Computer Crimes and Intellectual Property Section.
FBI Special Agent in Charge Stacey Moy says this operation disrupted "a highly sophisticated" Russia-based cybercrime organization that conducted cyber intrusions in the United States and abroad. "Our fight against cybercriminal platforms is a critical component in ensuring cybersecurity and safety in the United States," Moy says.
This case was investigated by the FBI and is being prosecuted by Assistant U.S. Attorney Jonathan I. Shapiro of the Southern District of California and Ryan K.J. Dickey, Senior Counsel for the Department of Justice Criminal Division's Computer Crimes and Intellectual Property Section, with support from the authorities of Germany, the Netherlands, and the United Kingdom.
In September 2020, FBI Director Christopher Wray announced the FBI's new strategy for countering cyberthreats. The strategy focuses on imposing risk and consequences on cyber adversaries through the FBI's authorities, capabilities and partnerships. Victims are encouraged to report the incident online with the Internet Crime Complaint Center
'Toeing the Line'
RSOCKS, according to Akamai's director of security technology and strategy, APJ, Dean Houari, was a "popular proxy service operated by cybercriminals."
Since it has grown from one lone hacker or a small group of hackers to now being an organized crime gang, the RSOCKS botnet has a global reach, he tells Information Security Media Group. "There's so much money, there's so much revenue, it's almost like a drug cartel," he says.
He also says that is why CISOs should be concerned about botnet attacks. "Threat actors will seek to disrupt or attack any company that has an online presence," Houari says. "Everybody is a target."
"Companies that thought that they were not a target for DDoS or APT attacks are now a target. That's how the game has evolved. That shows the motivation of Russian botnets to sell on the dark web, peer-to-peer botnets. There is just as much money to be made from conducting an attack as there is from selling it as a service to other threat actors, who may not have the skills to create these p2p botnets. ... Now anyone can conduct a DDoS attack at the level of cybercriminal gangs," he says.
The risk for businesses that do not update or improve their security posture is just "too great," Houari says.
And ISPs have little control over whom IP addresses are sold to and few instances in which they can take action, although, if an IoT IP address source is sending a lot of traffic, the ISP can blacklist it.
"The scary thing about this is they're [ISPs] just selling a valid infrastructure as web proxy service. So it's like toeing the line with the law. They're taking advantage of the freedom of the internet and the business of the ISPs. They offer something that is actually legal as a web proxy service," he says, and bad actors "weaponize" the IP addresses in RSOCKS and use the IPs of the compromised devices to "amplify" traffic or to conduct brute force attacks to hack millions of devices.
(Note: This story was updated on June 20 to include commentary from Akamai's director of security technology and strategy, APJ, Dean Houari.)