X
Tech

US disrupts Russian botnet that 'hacked millions of devices'

The RSOCKS proxy service was built on a network of millions of compromised Internet of Things devices.
Written by Liam Tung, Contributing Writer
getty-hacker-hands-on-a-keyboard.jpg
Image: Getty

The US Department of Justice (DoJ) has dismantled the infrastructure of what it described as a Russian botnet consisting of millions of hacked Internet of Things (IoT) devices

According to the DoJ, RSOCKS was operating as a proxy service, but instead of offering customers IP addresses legitimately leased from internet service providers (ISPs), the firm was offering IP addresses that had been assigned to hacked devices. 

The DoJ said that together with law enforcement partners in Germany, the Netherlands and the UK it has "dismantled" the infrastructure of RSOCKS, "which hacked millions of computers and other electronic devices around the world".

SEE: Don't let your cloud cybersecurity choices leave the door open for hackers

The service was available for cybercriminals to use to conceal the source of their activity, which included credential attacks on login web pages.  

"It is believed that the users of this type of proxy service were conducting large scale attacks against authentication services, also known as credential stuffing, and anonymizing themselves when accessing compromised social media accounts, or sending malicious email, such as phishing messages," the DOJ said

RSOCKS's website advertising its services and prices has now been replaced with a message that it has been seized by the FBI, but previously customers could buy access to a pool of RSOCKS proxies from $30 a day for 2,000 proxies to $200 per day for 9,000 proxies, according to the DoJ.

Once purchased, the customer could download a list of IP addresses and ports associated with one or more of the botnet's backend servers. The customer could then route malicious internet traffic through the compromised victim's devices to mask the true source of the traffic, the DOJ said.

RSOCKS operators allegedly built the proxy service by brute forcing passwords for IoT devices, many of which are put into service with default passwords or are protected by weak passwords. 

The operators initially targeted IoT devices to build the botnet but later expanded to compromising Android devices and computers. Victims of the botnet included a university, hotel, a television studio, and an electronics manufacturers. Other victims were home businesses and individuals.

SEE: Cloud computing security: Where it is, where it's going

The DOJ revealed it had dismantled the botnet as it unsealed a search warrant affidavit in the Southern District of California. 

"This operation disrupted a highly sophisticated Russia-based cybercrime organization that conducted cyber intrusions in the United States and abroad," said FBI special agent in charge, Stacey Moy. 

"Our fight against cybercriminal platforms is a critical component in ensuring cybersecurity and safety in the United States. The actions we are announcing today are a testament to the FBI's ongoing commitment to pursuing foreign threat actors in collaboration with our international and private sector partners."

The DoJ in April announced it had disrupted a botnet controlled by the Russian Federation's Main Intelligence Directorate (GRU) that consisted of thousands of infected WatchGuard and Asus firewall devices. 

Editorial standards