The U.S. Department of Justice has confirmed it has seized and dismantled the infrastructure of a Russian botnet used to hijack millions of devices worldwide for use as proxy servers.
According to prosecutors, Rsocks provided its web proxy service — operated by unnamed Russian cybercriminals — by hacking into millions of computers, smartphones, and Internet of Things devices, and converting them into unwitting proxy servers, allowing paying customers to use the IP addresses of the compromised devices without the permission or the knowledge of the owners.
According to its Twitter account, the botnet had access to more than eight million residential devices and more than one million mobile IPs.
Proxy services, which are not inherently illicit or illegal, provide IP addresses to its clients for a fee, such as bypassing censorship or accessing content geo-blocked to a particular region. But according to prosecutors, Rsocks was allegedly hacking into millions of devices by conducting brute force attacks.
Customers could access a web-based “storefront” where they could rent access to proxies for a specific time period. Once purchased, the customer could download a list of IP addresses and ports associated with one or more of the botnet’s backend servers, and then route malicious internet traffic through the compromised devices to mask or hide the true source of the traffic.
“It is believed that the users of this type of proxy service were conducting large scale attacks against authentication services, also known as credential stuffing, and anonymizing themselves when accessing compromised social media accounts, or sending malicious email, such as phishing messages,” the Justice Department said in a press release announcing the successful takedown of the botnet’s infrastructure.
FBI investigators used undercover purchases to get access to the RSocks botnet to identify its backend infrastructure and victims. The initial undercover purchase in early 2017 identified approximately 325,000 compromised victim devices, mainly located in the United States.
As well as home businesses and individuals, several large public and private entities have fallen victim to the RSocks botnet, prosecutors said, including a university, a hotel, a television studio, and an electronics manufacturer — and homes and small businesses.
“Cyber criminals will not escape justice regardless of where they operate,” said U.S. Attorney Randy Grossman.” Working with public and private partners around the globe, we will relentlessly pursue them while using all the tools at our disposal to disrupt their threats and prosecute those responsible.”
The RSocks botnet is the second of its kind that has recently been dismantled by U.S. authorities. In April, an FBI operation revealed that it had disrupted another botnet, known as Cyclops Blink, which was operated by a group of hackers working for Russia’s GRU, the country’s military intelligence unit.