Google LLC today revealed it has disrupted the operations of a large Russian botnet and filed a lawsuit against the operators of the network.
The Glupteba botnet and related malware has been around since 2014 and has grown to a network of an estimated one million Windows devices. The botnet is notorious for stealing user credentials and data, mining cryptocurrency of infected hosts and setting up proxies to funnel other people’s internet traffic through infected machines and routers.
Working with industry partners, Google decided to take what it describes as “technical action” against the botnet. Researchers from Google’s Threat Analysis Group identified multiple online services offered by the individuals operating the Glupteba botnet. Those services included selling access to virtual machines loaded with stolen credentials, proxy access and credit card numbers.
The initial targeting of the botnet started with Google services. Google TAG, along with Google’s Cybercrime Investigation Group, terminated 63 million Google Docs observed to have been distributed by Glupteba, along with 1,183 Google accounts, 908 cloud projects and 870 Google Ads accounts.
Google then teamed up with internet infrastructure and hosting providers such as Cloudflare Inc. to disrupt Glupteba’s operation by taking down servers and placing interstitial warning pages in front of the malicious domain names.
In parallel to the technical action, Google also filed a lawsuit Dec. 2 in the Southern District of New York against Dimitry Starovikov, Alexander Filippov and Does 1 through 15 for operating the Glupteba botnet and its various criminal schemes. The lawsuit alleges violations under the Racketeer Influenced and Corrupt Organizations Act, the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, the Lanham Act, tortious interference of business relationships and unjust enrichment.
Although Google’s action in targeting Glupteba botnet is positive, the company, along with others such as Microsoft Corp. that target criminal enterprises such as this are playing “Whac-A-Mole.” They may disrupt an outfit, but it then returns or others take its place. In the case of Glupteba, Google admits that the disruption may only be temporary.
“Unfortunately, Glupteba’s use of blockchain technology as a resiliency mechanism is notable here and is becoming a more common practice among cybercrime organizations,” Google Vice President of Security Royal Hansen and General Counsel Halimah DeLaine Prado explained in a blog post. “The decentralized nature of blockchain allows the botnet to recover more quickly from disruptions, making them that much harder to shut down.”
