US seizes domains and infrastructure used in sprawling botnet campaigns

Law enforcement agencies in the U.S., Germany and Canada coordinated on a disruption operation designed to seize infrastructure used by four large botnets.

The Justice Department said on Thursday evening that the Aisuru, KimWolf, JackSkid and Mossad botnets were used to target victims with distributed denial-of-service (DDoS) attacks that overloaded websites and made them unreachable. 

The four botnets were composed of about three million compromised devices around the world, many of which are Internet of Things (IoT) devices like cameras, routers and video recorders. Court documents said there were hundreds of thousands of devices compromised in the U.S. The KimWolf and JackSkid botnets were known to also target devices that were behind firewalls. 

The operators behind the botnets sold access to the devices to cybercriminals, who used them to either launch DDoS attacks or mask other criminal activity. 

The DOJ said victims of the DDoS attacks lost hundreds of thousands of dollars through remediation expenses or ransom demands from hackers who would only stop overloading websites for a price. 

Multiple U.S.-registered internet domains, virtual servers and other infrastructure were seized through warrants executed by the Department of Defense Office of Inspector General. The Department of Defense Information Network (DoDIN) had IP addresses that were targeted by DDoS attacks launched through the botnets. 

The Aisuru botnet “issued more than 200,000 DDoS attack commands, the Kimwolf botnet issued more than 25,000 DDoS attack commands, the JackSkid botnet launched more than 90,000 DDoS attack commands and the Mossad botnet launched more than 1,000 DDoS attack commands,” according to prosecutors. 

Companies like Cloudflare have warned for years about Aisuru and Kimwolf, writing in recent months that the botnets had more than 1 million devices at their disposal and could launch DDoS attacks that can could “cripple critical infrastructure, crash most legacy cloud-based DDoS protection solutions, and even disrupt the connectivity of entire nations.”

Earlier this year, cybersecurity journalist Brian Krebs identified at least one alleged operator behind the botnets living in Canada. 

The Justice Department did not say if any arrests were made in conjunction with the infrastructure takedown. In addition to Canadian and German law enforcement agencies, the DOJ said dozens of tech companies were involved in the operation.

In a blog post, Amazon vice president Tom Scholl said the company helped the FBI and Defense Department identify the botnet's command-and-control infrastructure and reverse engineered the malware to understand its operations.

Scholl said Kimwolf was a novel botnet because it targeted residential proxy networks, infiltrating home networks through compromised devices — including streaming TV boxes and other IoT devices. 

The botnet “gained access to local networks that are typically protected from external threats by home routers.” 

“This technique allowed the operators to compromise millions of devices globally, growing to over 2 million infected devices. The Jackskid botnet would later use this same technique to increase its scale as well,” he said. 

Law enforcement agencies continue to target botnets with infrastructure seizure operations and arrests due to how frequently they are used by cybercriminals and nation-states to amplify attacks, mask activity and more. Botnets like QakBot, 911 S5, IPStorm, KV, DanaBot, Anyproxy, 5socks and others have faced law enforcement scrutiny since 2021.

Last week, the U.S. partnered with Europol to take down a cybercriminal platform that offered access to the AVRecon botnet, which was made up of thousands of residential routers.