Investigators Disrupt Giant RSocks Botnet

Written by

Global law enforcers have dismantled a Russian botnet thought to have contained millions of infected machines and devices.

RSocks was rented out to other cyber-criminals who used its proxy servers to remain anonymous as they launched credential stuffing, account takeover, phishing and other attacks, according to the US Department of Justice (DoJ).

FBI investigators went undercover to rent access to the botnet via its web-based “storefront.” In doing so, as far back as 2017, they discovered 325,000 compromised victim devices globally, including several located in San Diego County.   

The operation culminated in coordinated action with investigators in Germany, the Netherlands and the UK to dismantle the botnet’s infrastructure.

It’s claimed RSocks was built first from millions of IoT devices, including industrial control systems, routers, AV streaming devices and even smart garage door openers. Later, Android devices and conventional computers were compromised and added to the botnet, according to the DoJ.

It said victims had their devices or machines hijacked via brute force attacks that use automated software to crack open accounts.

“This operation disrupted a highly sophisticated Russia-based cybercrime organization that conducted cyber intrusions in the United States and abroad,” said FBI special agent in charge, Stacey Moy.

“Our fight against cyber-criminal platforms is a critical component in ensuring cybersecurity and safety in the United States. The actions we are announcing today are a testament to the FBI’s ongoing commitment to pursuing foreign threat actors in collaboration with our international and private sector partners.”  

There have been several well-publicized attempts to disrupt prolific cybercrime botnets in recent months.

In April, Microsoft and partners took control of 65 command and control (C&C) domains used by the ZLoader gang. A week earlier, the US authorities revealed details of an operation to disrupt the Cyclops Blink botnet before it was used.

It’s believed Cyclops Blink was run by the Russian state. However, operational outages caused by such activity rarely last as threat actors simply compromise new machines to replace those taken out of service.

What’s hot on Infosecurity Magazine?