Incident Of The Week: FBI Attempts To Dissolve Botnet Wielding 500K Routers

Cyber Activity Linked To Russian Hacking Group



Dan Gunderman
05/25/2018

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine a massive botnet that may have been set to place Ukraine under cyber-siege. The U.S. government is attempting to help regain control of around 500,000 infected routers and storage devices. Adversaries believed to behind the act may be a part of “Sofacy,” a Russian hacking group.

FBI Intervention

Security researchers believe the zombie horde was going to be leveraged by the hackers to prey on the nation that has long been the target of substantial cyber-attacks.

Ukraine’s SBU state security service commented on reports of the botnet by alleging that Russia was attempting to spearhead an attack in the days leading up to the Champions League soccer final, held in Kiev on May 26.

This week, the FBI was granted permission by a Pennsylvania federal judge to seize a domain reportedly connected to Sofacy – one used to control the widening collection, according to Reuters.

With the permission, the agency can direct devices toward a server controlled by the FBI. This logs location and allows authorities to gauge the epicenter of the supposed attack, as well as remove malware from targeted devices.

See Related: Incident Of The Week: Hackers Tap Into Mexican Banks, Lift $15M

Assistant Attorney General for National Security, John Demers, said in a statement that the operation would allow for the disruption of the botnet, which could have found Sofacy inflicting damage on victimized networks. (This includes cyber espionage purposes, as well reconnaissance, data theft and dangerous outages/disruptions/attacks.)

Cisco first noted this device accumulation in a report on Wednesday. The company mentioned that Linksys, MikroTik, Netgear Inc., TP-Link and QNAP devices were targeted, Reuters notes.

The malware strains appeared to have the largest concentration over Ukraine, which ultimately blamed Russia for the malicious activity. Cisco also shared details of this horde with the U.S. and Ukraine governments. The latter nation has repeatedly fallen under cyber-attack, which is believed to be over geopolitical reasons. Russia has denied involvement in global hacking campaigns.


Inside a Botnet

Recently, researchers offered a thorough look at botnets and their profitability. C.G.J. Putman, of the University of Twente in the Netherlands, said that the task of constructing a botnet is “highly specialized.” One capable of inflicting damage at the national or international level requires a team of experts, perhaps hundreds, according to the work, relayed by the MIT Technology Review. The researchers believe that it could take around two years to plan and execute.

“Botmasters” must spread the malware, ensure its propagation and re-infect patched devices. Putman estimates that a botnet linked to 10 million devices could cost around $16 million.

In terms of return on investment (ROI), however, the researchers said that distributed denial of service (DDoS) attacks with 30,000 bots could generate $26,000 per month. Spam advertising utilizing 10,000 devices could yield $300,000 per month. Bank fraud linked to about 30,000 bots, however, can produce upwards of $18 million per month. Click fraud could deliver similar, if not higher, figures.

Suffice to say botnets can inflict lasting damage on a network, a group of networks, or nations. While they certainly require upkeep, the profit margins can be enticing to today’s threat actors. The recent, Ukraine-focused botnet also goes to show that political gain may be a prime motivator, as well as revenue streams to fund other illicit activity on the Dark Web.

Be Sure To Check Out: Incident Of The Week: 15K Accounts Breached At U.K. Credit Union