Google files lawsuit against Russian hackers as part of disrupting botnet

Google on Tuesday announced it is pursuing litigation to disrupt a botnet run by operators based out of Russia, among other steps meant to crack down on the group.

As part of the effort, Google filed a lawsuit in the Southern District of New York on Tuesday against two Russian nationals, Dmitry Starovikov and Alexander Filippov, and more than a dozen other unnamed individuals for allegedly creating and running the “Glupteba” botnet. Google also worked with industry partners to disrupt infrastructure used by the group which means the individuals behind the botnet currently do not have control over it. 

“Due to Glupteba’s sophisticated architecture and the recent actions that its organizers have taken to maintain the botnet, scale its operations, and conduct widespread criminal activity, we have also decided to take legal action against its operators, which we believe will make it harder for them to take advantage of unsuspecting users,” Royal Hansen, the vice president of Security at Google, and Google General Counsel Halimah DeLaine Prado wrote in a blog post announcing the disruption efforts. 

The botnet, which is a network of different devices that are being controlled by a group or individual, has been used to infect around one millions Windows devices worldwide, with thousands of new devices compromised every day. 

The Glupteba botnet has been used to steal user data, mine cryptocurrency, and funnel internet traffic through malicious routers, and was observed by Google Threat Analysis Group to be targeting victims in the United States, India, Brazil, Southeast Asia and elsewhere.  

The two Russian individuals were described in the court filing by Google as “Russian cybercriminals who have silently infiltrated more than a million computers and other devices around the globe” as part of creating the Glupteba botnet.

“Defendants use the Glupteba botnet to further a range of cybercrimes and to conceal criminal conduct,” the court filing reads. 

The Glupteba botnet typically uses blockchain technology to protect itself, making it harder to target. Google’s Threat Analysis Group worked over the past year to disrupt the botnet through taking down around 63 million Google Docs, over 1,100 Google Accounts, over 900 Cloud Projects, and 870 Google Ads accounts that were helping to distribute the botnet. Around 3.5 million Google users were also warned by Google against downloading a malicious file connected to the botnet. 

In recent days, a further 130 Google accounts associated with the botnet were taken down, and Google worked with internet providers to take down servers used by Glupteba. 

“While these actions may not completely stop Glupteba, TAG estimates that combined efforts will materially affect the actor’s ability to conduct future operations,” TAG’s Shane Huntley and Luca Nagy wrote in a separate blog post on the effort. 

The disruption comes the day after Microsoft announced that it had taken control of websites used by a Chinese hacking group known as “Nickel” following the unsealing of a decision by the Eastern Court of Virginia allowing Microsoft to take action. Microsoft had observed the hacking group targeting organizations in the United States and almost 30 other countries, with a particular focus on human rights groups, government agencies, and think tanks. 

Prior to the disruption, Microsoft had disrupted hacking groups in Russia, North Korea, and Iran in recent years, including taking control of “Trickbot” to disrupt ransomware attacks prior to the 2020 U.S. elections.