<strong>DOJ: Russian RSOCKS botnet disrupted in international operation</strong>
Image: The Record
Andrea Peterson June 17, 2022

DOJ: Russian RSOCKS botnet disrupted in international operation

Andrea Peterson

June 17, 2022

DOJ: Russian RSOCKS botnet disrupted in international operation

The Department of Justice announced Thursday that the U.S. and international law enforcement partners in the United Kingdom, Germany, and the Netherlands disrupted a major botnet operated by Russian cybercriminals that hijacked millions of computers, phones, and Internet of Things devices. 

The botnet, RSOCKS, advertised itself as a proxy service — a company that lets you route traffic through other locations. But instead of gaining access to IP addresses through legal means, such as leasing them from local Internet Service Providers, the company allowed customers to route traffic through compromised devices, according to the DOJ.

“The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies,” the agency said in a press release

Proxy services can be used for legitimate purposes, but may also be leveraged in credential stuffing attacks or to help mask the identity of someone engaging in malicious behavior online. 

The RSocks infrastructure disruption followed an investigation that began after an undercover operation purchase in 2017. The DOJ said it “identified approximately 325,000 compromised victim devices” in that first sweep.

“Several large public and private entities have been victims of the RSOCKS botnet, including a university, a hotel, a television studio, and an electronics manufacturer, as well as home businesses and individuals,” according to the agency press release. 

Although the botnet was dismantled, no arrests were announced. 

In April, the U.S. announced it had disrupted a major botnet operated by the GRU Russian military intelligence hacker team known as Sandworm.

Andrea (they/them) is senior policy correspondent at The Record and a longtime cybersecurity journalist who cut their teeth covering technology policy ThinkProgress (RIP), then The Washington Post from 2013 through 2016, before doing deep dive public records investigations at the Project on Government Oversight and American Oversight. Their work has also been published at Slate, Politico, The Daily Beast, Ars Technica, Protocol, and other outlets. Peterson also produces independent creative projects under their Plain Great Productions brand and can generally be found online as kansasalps.