A Russian botnet which hacked millions of connected devices around the world has been dismantled in an international sting led by the US with the support of the UK.
Agents from the FBI, working with counterparts in the UK, Germany and the Netherlands, have taken down the infrastructure behind RSOCKS in operation which saw undercover agents purchase access to the botnet to identify its backend infrastructure and victims. The operation was revealed in unsealed court documents published in the Southern District of California yesterday.
“The RSOCKS botnet compromised millions of devices throughout the world,” said US Attorney Randy Grossman. “Cyber criminals will not escape justice regardless of where they operate. Working with public and private partners around the globe, we will relentlessly pursue them while using all the tools at our disposal to disrupt their threats and prosecute those responsible.”
How did the RSOCKS botnet work?
RSOCKS hacked into millions of devices, and offered cybercriminals the chance to purchase access to the IP addresses of the compromised systems. The Russian gang behind the botnet provided an online ‘storefront’ where other criminals could pay for access on a daily basis.
The US Department of Justice says hackers could then route malicious internet traffic through the compromised victim devices to mask or hide the true source of the traffic. “It is believed that the users of this type of proxy service were conducting large scale attacks against authentication services, also known as credential stuffing, and anonymizing themselves when accessing compromised social media accounts, or sending malicious email, such as phishing messages,” a DoJ statement said.
Who were the victims of the RSOCKS botnet?
The DoJ says RSOCKS initially targeted Internet of Things devices including industrial control systems, time clocks, routers, audio and video streaming devices, as well as consumer devices such as smart garage door openers. The botnet expanded into compromising additional types of devices, including Android devices and PCs.
Victims identified by investigators span major public and private sector organisations around the world, including university, a hotel, a television studio, and an electronics manufacturer, as well as home businesses and individuals.
RSOCKS botnet take-down reflects FBI’s aggressive new stance
RSOCKS is the second Russian botnet the FBI has dismantled recently. In April, Tech Monitor reported how the agency had foiled another botnet, known as Cyclops Blink, which was run by a group of hackers thought to be linked to Russia’s security force, the GRU.
Speaking to Tech Monitor in April, Greg Austin, programme head of cyber, space and future conflict at the International Institute for Strategic Studies, said such operations suggest the FBI has been granted new authority to tackle cybersecurity threats aggressively, particularly since Russia’s invasion of Ukraine.
“It certainly looks like it’s breaking new ground for the FBI,” Austin said. “It’s likely they’ve been given an authority and clear approval to do this.” He added: ““We can expect that the US is acting unilaterally in cyberspace at a much more robust level against Russia than before [the war stated].”