Alphabet Inc.’s Google is suing two Russian nationals it claims are part of a criminal enterprise that has silently infiltrated more than a million computers and devices around the world, creating “a modern technological and borderless incarnation of organized crime.”
In a complaint being unsealed Tuesday in the U.S. District Court for the Southern District of New York, Google names two defendants, Dmitry Starovikov and Alexander Filippov, as well as 15 unnamed individuals. Google claims the defendants have created a “botnet” known as Glupteba, to use for illicit purposes, including the theft and unauthorized use of Google users’ login and account information.
A botnet is a network of internet-connected devices that have been infected with malware. When summoned together, they can do the bidding of a hacker, often with the devices’ owners not realizing their machines have been hijacked. A swarm of devices can jam traffic at websites, run malware to steal login credentials, sell fraudulent credit cards online and grant unauthorized access to other cyber criminals.
The Glupteba botnet stands out from others because of its “technical sophistication,” using blockchain technology to protect itself from disruption, Google said in the complaint. At any moment, the power of the Glupteba botnet could be used in a ransomware attack or distributed denial of service attack, Google said.
Chainalysis Inc., a blockchain forensic analysis firm, said its products and services were used to investigate the botnet.
Whenever one of Glupteba’s command-and-control servers — which hackers use to manage compromised networks — is shut down, it could scan the blockchain to find a new command-and-control server domain address, according to a Chainalysis statement.
“This tactic makes the Glupteba botnet extremely difficult to disrupt through conventional cybersecurity techniques,” which are focused on disabling command-and-control server server domains, according to Chainalysis. “This is the first known case of a botnet using this approach.”
It’s also the first time that Google is going after a botnet, a spokesperson for the Mountain View, California-based company said in an email. “We are taking this action to further protect internet users and to send a message to cyber criminals that we will not tolerate this type of activity.”
The spokesperson said the company worked with the U.S. Department of Justice on the investigation. The Department of Justice declined to comment. Starovikov and Filippov couldn’t immediately be located for comment.
The tech giant brought the action to court to “create a legal liability for the cyber criminals,” the spokesperson said. To bring “to light their identities and the infrastructure they are using.”
Google said Starovikov and Filippov were connected to Glupteba by the servers used to set up their Gmail addresses.
“Glupteba is notorious for stealing users’ credentials and data, mining cryptocurrencies on infected hosts, and setting up proxies to funnel other people’s internet traffic through infected machines and routers,” Google’s General Counsel Halimah DeLaine Prado and Google Vice President of Engineering Royal Hansen wrote in a blog post.
In June 2020, security firm Sophos published a report on the Glupteba malware, noting it “was able to continuously thwart efforts at removing it from an infected machine,” researcher Luca Nagy wrote at the time. “Glupteba also takes a variety of approaches to lay low and avoid being noticed.”
Google said it was bringing the action under the Racketeer Influenced and Corrupt Organizations Act, known as RICO, as well as the Computer Fraud and Abuse Act, Electronic Communications Privacy Act and others, to disrupt the botnet, prevent it from causing further harm, and to recover damages.
Some of the most notorious cybercriminal gangs have ties to Russia, which has been accused of providing them with safe haven. The Kremlin has repeatedly denied responsibility for any hacking attacks.