The U.S. Department of Justice said on Thursday that, together with law enforcement partners in Germany, the Netherlands and the United Kingdom, it has dismantled the infrastructure of a massive Russian botnet known as RSOCKS, which hacked millions of computers and other electronic devices around the world.
Every device connected to the internet is assigned an IP address, and RSOCKS is a proxy service that provides IP addresses to its clients for a fee. It leases IP addresses from internet service providers or ISPs.
Rather than offer proxies that RSOCKS had leased, the RSOCKS botnet offered its clients access to IP addresses assigned to devices that had been hacked. The owners of these devices did not give the RSOCKS operator(s) authority to access their devices to use their IP addresses and route internet traffic. Cybercriminals wanting to use the RSOCKS platform could navigate via web browser to a web-based “storefront” (a public web site that allows users to purchase access to the botnet), which allowed the criminal to pay and rent access to a pool of proxies for a specified daily, weekly, or monthly time period. The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.
Once purchased, the criminal could download a list of IP addresses and ports associated with one or more of the botnet’s backend servers. The criminal could then route malicious internet traffic through the compromised victim devices to mask or hide the true source of the traffic. It is believed that the users of this type of proxy service were conducting large scale attacks against authentication services, also known as credential stuffing, and anonymizing themselves when accessing compromised social media accounts, or sending malicious email, such as phishing messages.
Search Warrant
According to a search warrant affidavit unsealed June 16 in the Southern District of California, and the operators’ own claims, the RSOCKS botnet initially targeted IoT devices that include industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers – all are connected to and can communicate over the internet. Therefore, they are assigned IP addresses. The RSOCKS botnet expanded into compromising additional types of devices, including Android devices and conventional computers.
As alleged in the unsealed warrant, FBI investigators used undercover purchases to obtain access to the RSOCKS botnet to identify its backend infrastructure and victims. The initial undercover purchase in early 2017 identified approximately 325,000 compromised victim devices throughout the world with numerous devices located within San Diego County. Through analysis of the victim devices, investigators determined that the RSOCKS botnet compromised the victim devices by conducting brute force attacks. The RSOCKS backend servers maintained a persistent connection to the compromised devices. Several large public and private entities have been victims of the RSOCKS botnet, including a university, a hotel, a television studio, and an electronics manufacturer, as well as home businesses and individuals. At three of the victim locations, with consent, investigators replaced the compromised devices with government-controlled computers (i.e., honeypots), and all three were subsequently compromised by RSOCKS. The FBI identified at least six victims in San Diego.
U.S. Attorney Randy Grossman says the RSOCKS botnet compromised millions of devices globally. “Cyber criminals will not escape justice regardless of where they operate. Working with public and private partners around the globe, we will relentlessly pursue them while using all the tools at our disposal to disrupt their threats and prosecute those responsible,” Grossman says.
He acknowledged the work on this case by the FBI and the Department of Justice Criminal Division’s Computer Crimes and Intellectual Property Section.
FBI Special Agent in Charge Stacey Moy says this operation disrupted “a highly sophisticated” Russia-based cybercrime organization that conducted cyber intrusions in the United States and abroad. “Our fight against cybercriminal platforms is a critical component in ensuring cybersecurity and safety in the United States.” Moy says.
This case was investigated by the FBI and is being prosecuted by Assistant U.S. Attorney Jonathan I. Shapiro of the Southern District of California and Ryan K.J. Dickey, Senior Counsel for the Department of Justice Criminal Division’s Computer Crimes and Intellectual Property Section, with support from the authorities of Germany, the Netherlands, and the United Kingdom.
In September 2020, FBI Director Christopher Wray announced the FBI’s new strategy for countering cyber threats. The strategy focuses on imposing risk and consequences on cyber adversaries through the FBI’s authorities, capabilities, and partnerships. Victims are encouraged to report the incident online with the Internet Crime Complaint Center (IC3) www.ic3.gov.