The FBI dismantled the IPStorm botnet’s proxy network and infrastructure this week following a September plea deal with the hacker behind the operation.
The Justice Department said it removed infrastructure associated with IPStorm malware, which experts say infected thousands of Linux, Mac and Android devices in Asia, Europe, North America and South America .
The botnet was seen for the first time by researchers in June 2019, primarily targeting Windows systems, and stood out to experts because it used the peer-to-peer InterPlanetary File System (IPFS) protocol to communicate with infected systems and relay commands. Cisco warned last year that the IFPS was widely exploited by hackers.
Now until 2020, several security companies discovered that the malware had expanded to versions that infected other devices and platforms. Catalin Cimpanu, cybersecurity journalist reported that the botnet grew from approximately 3,000 infected systems in May 2019 to more than 13,500 devices in 2020.
On Tuesday, the US Department of Justice said Sergei Makinin, a Russian and Moldovan national, pleaded guilty on September 18 to three computer hacking charges each carrying a maximum sentence of ten years in prison.
According to the DOJ, Makinin developed and deployed the malware from June 2019 to December 2022, using it to hack thousands of internet-connected devices around the world.
“Makinin controlled these infected devices as part of a large botnet, which is a network of compromised devices. The main goal of the botnet was to turn infected devices into proxies as part of a for-profit scheme, which made access to these proxies available through Makinin’s websites, proxx.io and proxx.net,” explained the Ministry of Justice.
“Through these websites, Makinin sold illegitimate access to infected and controlled devices to clients seeking to hide their Internet activities. A single customer could pay hundreds of dollars per month to route traffic to thousands of infected computers. Makinin’s publicly accessible website advertised that it had more than 23,000 “highly anonymous” proxies from around the world.
Makinin told officials he made at least $550,000 from the scheme and agreed to forfeit all cryptocurrencies tied to the operation.
The DOJ said it disabled the infrastructure set up by Makinin, but did not go so far as to remove the malware from victims’ devices — a controversial step the FBI has taken in several previous botnet takedowns.
The FBI office in San Juan, Puerto Rico, led the investigation alongside FBI attachés in the Dominican Republic and Spain.
U.S. law enforcement also worked with the Spanish National Police Cyber Attack Group and several law enforcement agencies in the Dominican Republic.
The Justice Department also thanked Anomali Threat Research – one of the first companies to discover the malware – and Bitdefender, which also conducted extensive research into the botnet.
Alexandru Catalin Cosoi, senior director of the investigation and investigations unit at Bitdefender, confirmed that the company was involved in the investigation and told Recorded Future News that the Interplanetary Storm botnet was “complex and used to power various cybercriminal activities by renting it as a proxy.” as a service system on infected IoT devices.
Cosoi said that during Bitdefender’s research and analysis, clues to the identity of the cybercriminal were discovered and offered to law enforcement.
“Our initial research in 2020 revealed valuable clues about the culprit behind his operation, and we are extremely pleased that it helped lead to arrests,” Cosoi said.
“This investigation is another powerful example of law enforcement and the private cybersecurity industry working together to stop illegal online activity and bring those responsible to justice.” »
The FBI and other U.S. law enforcement agencies have made a point of going after botnets in recent years.
In August, the FBI worked with a collection of international law enforcement agencies to eliminate Qakbot — one of the most prolific and longest-running botnets. In May, the FBI targeted the Kremlin-backed Snake malware and carried out an operation aimed at disrupting the Cyclops Blink Malware.
But several of these eliminations, notably that of Emotet – were critical for the lack of arrests, raising concerns that little could stop groups from simply re-form.
Joseph González, special agent in charge of the FBI San Juan Field Office, added that the FBI’s goal is “to impose risks and consequences on our adversaries, ensuring that cyberspace is not a safe space for criminal activities”.
“It is no secret that today many criminal activities are carried out or enabled by cyber means,” he said. “Cybercriminals seek to remain anonymous and feel a sense of security because they hide behind keyboards, often thousands of miles from their victims. »
Future saved
Intelligence cloud.
No previous articles
No new articles
Jonathan Greig
Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.