Russian RSOCKS botnet taken down in international operation

Sicherheit (Pexels, allgemeine Nutzung)[German]In a joint action of international investigators, the Russian RSOCKS botnet was dismantled. Authorities from the United States, Germany, the Netherlands, and the United Kingdom were involved in the operation. This bot network was rented to cybercriminals for years at prices ranging from $30 to $200 per day to launch cyberattacks and phishing waves on targets around the world.


RSOCKS' website now only contains the following message, which informs about the FBI seizure and refers to this statement from the U.S. Attorney's Office in the Southern District of California.

RSOCK site seized

Within the statement, the U.S. Attorney's Office informs that the U.S. Department of Justice, along with law enforcement partners in Germany, the Netherlands, and the United Kingdom, has dismantled the infrastructure of a Russian RSOCKS botnet.

The RSOCKS Botnet

A botnet is a group of compromised devices with Internet access. These hacked devices are controlled without the owner's knowledge and are usually used for malicious purposes. According to the U.S. Justice Department's search warrant and the botnet operators' own statements, the RSOCKS botnet operated by Russian cybercriminals included millions of hacked devices worldwide.

The RSOCKS botnet initially targeted Internet of Things (IoT) devices. IoT devices include a wide range of devices, including industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers that are connected to and can communicate over the Internet and are therefore assigned IP addresses. Over time, however, the RSOCKS botnet expanded and compromised more types of devices. These included Android devices and traditional computers.


Renting the infrastructure

The RSOCKS botnet provided "its customers" with access to IP addresses assigned to hacked devices. The devices were misused by RSOCKS operators to forward Internet traffic without the owners' knowledge. A cybercriminal who wanted to use the RSOCKS platform could rent access to the botnet via a public website using a browser. In doing so, the cybercriminal could rent access to a pool of proxies for a specified daily, weekly, or monthly period. The cost of access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies. Here, one proxy corresponds to one compromised IoT device that could be misused for criminal purposes.

Once purchased, the customer could download a list of IP addresses and ports that were connected to one or more backend servers of the botnet. The customer could then route malicious Internet traffic through the victims' compromised devices to disguise or hide the true source of the traffic. Investigators suspect that the cybercriminals were conducting large-scale attacks on authentication services via this type of proxy service. This method is also known as credential stuffing, in which collections of stolen or leaked credentials are used to log into online accounts. The attackers anonymized their access to such compromised social media accounts via the proxies or origin when sending malicious emails, such as phishing messages.

FBI gained access

The seizure documents show that FBI investigators gained access to the RSOCKS botnet through covert buys. Investigators then sought to identify the backend infrastructure of the RSOCKS botnet and its victims. The initial covert purchase in early 2017 identified approximately 325,000 compromised victim devices around the world, including numerous devices in San Diego County.

Upon analyzing the victim devices, investigators determined that the RSOCKS botnet compromised the victim devices through brute force attacks. The RSOCKS backend servers maintained a persistent connection to the compromised device. Several large public and private entities were victims of the RSOCKS botnet, including a university, a hotel, a television studio, and an electronics manufacturer, as well as private companies and individuals.

For three of the victims, investigators replaced the compromised devices with government-controlled computers (i.e., honeypots) with their consent, and all three were subsequently infected by RSOCKS. The FBI identified at least six victims in San Diego.

"This operation dismantled a sophisticated, Russian-based cybercrime organization that was conducting cyberattacks in the United States and abroad," said FBI Special Agent in Charge Stacey Moy. "Our fight against cybercriminal platforms is a critical component in ensuring cybersecurity in the United States. The actions we're announcing today are a testament to the FBI's continued commitment to going after foreign threat actors in collaboration with our international and private sector partners."

It all goes back to September 2020, when FBI Director Christopher Wray announced the FBI's new strategy to combat cyberthreats. The strategy focuses on depriving cybercriminals of infrastructure and, where possible, arresting the cybercriminals as well. In the past, numerous cybercriminals have been arrested and their infrastructure seized. In the meantime, numerous such measures have been carried out (see the following list of links).

Similar articles
Interpol arrests Nigerian head of BEC fraud gang
Operation Falcon II: Interpol and Nigerian police arrest 11 cybercriminals
Interpool arrests 3 Nigerian BEC cybercriminals (June 2, 2022)
Interpol arrests 2,000 cyber fraudsters in Operation "First Light 2022"
Europol arrests 1,803 money mules of Internet fraudsters
Twitter hack of July 2020: First arrests
Europol/FBI takes down one of the largest hacker forums in the world with RaidForums
7 teenagers arrested in connection with the LAPSUS$ hacks
REvil ransomware Group took down in Russia by FSB
Five affilitates of Sodinokibi/REvil ransomware group arrested
2 ransomware operators arrested in Ukraine by law enforcements and Europol
Ironside: Police trick criminals with ANOM Crypto-Devices and Messenger app
Egregor ransomware gang members arrested
Netwalker Ransomware Darknet Website Seized, First Indictment
Operation DisrupTor: 179 Dark Net actors arrested
News in the fight against SUNBURST infection, domain seized
VPN services seized by law enforcement officials
Europol took down, which has been used by Cybercriminals
German police seized a darknet server farm in a shelter
Access to public/private surveillance cameras sold: Italian hacking groups busted
German BKA takes down illegal Darknet "Hydra Market"

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *