A Russian botnet composed of millions of hacked devices, possibly the biggest proxy service available to the criminal underworld, is now out of business thanks to a collaborative effort involving United States and European law enforcement agencies.
The RSOCKS botnet had been active and available to dark web customers since at least 2014 and was commonly used for a variety of cyber attack types. The bulk of the Russian botnet was composed of compromised Internet of Things (IoT) devices, often those that have weak or no security.
Underground proxy service used for phishing, password cracking, denial of service
RSOCKS essentially functioned as a proxy service to mask traffic for a variety of attack types: phishing campaigns conducted by email and text message, distributed denial of service (DDoS), and as a means to guess at account passwords without tripping automated defenses that limit attempt amounts from a particular device.
The US Department of Justice (DOJ) dismantled the Russian botnet working in partnership with several European law enforcement agencies. The owner and operator of the underground proxy service was identified as Denis Kloster, who has been a major figure in the operation of cyber crime forums for nearly the past two decades. RSOCKS infrastructure has been seized and Kloster, who has a long history of involvement in spamming and running online scams in addition to facilitating criminal hacking, is being sought by law enforcement.
The Russian botnet appears to have comprised at least eight million devices at the time it was seized, using devices it had already captured to execute automated attacks against other devices with known vulnerabilities. IoT devices are popular targets for botnet operators as they often develop security vulnerabilities that the manufacturers cannot (or will not) patch, or ship with inadequate password security, such that the process of scanning for and breaching them can largely be automated. The general public may not be aware of them, but these proxy services backed by massive botnets are always around them; some estimates find that they make up as much as 40% of all internet traffic at this point.
Open to any cyber criminal, Russian botnet was available for little money
Botnets of this magnitude are hardly inaccessible to people with bad intent, as this particular case demonstrates. The RSOCKS proxy service was freely available to those surfing the dark web and could be rented out for about $30 to $200 USD per day, depending on how many devices the attacker wanted to have at their disposal.
The Russian botnet also demonstrates how difficult it can be to dismantle these services. The RSOCKS investigation and takedown operation spanned nearly five years, as the Federal Bureau of Investigation (FBI) first set up “honeypots” to attract the threat actors and examine the service’s internet traffic and means of operation. During the time the investigation unfolded, the Russian botnet grew from a little over 300,000 devices to its eventual total of over eight million.