A Russian hacking group made clever use of bitcoin to prevent law enforcement bodies from impeding its operations, Google has alleged.
In a civil case filed on December 2 in New York, Google charged two named Russian citizens, Dmitry Starovikov and Alexander Filippov, plus fifteen unnamed defendants with racketeering, computer fraud, abuse of privacy and breaches of New York law.
The defendants, said Google, controlled a sophisticated network of more than a million hacked and remotely controlled devices, called a ‘botnet’.
This botnet, named ‘Glupteba’ by the inventors of the malware used to hack the victims’ devices, targeted computers using the Windows operating system.
Information security researchers say Glupteba was first discovered in 2014 and is distinguished by its sophistication in controlling remote computers without their owners’ knowledge.
According to Google, the Glupteba hackers stole personal account information from Google clients, defrauded Google using faulty credit card information, placed disruptive ads, sold account access to other cybercriminals, conducted ransomware attacks and mined cryptocurrency without the victims being aware.
Google said that Glupteba made innovative use of bitcoin’s transaction record (known as a blockchain) to allow it to continue its nefarious activities unimpeded.
Because of the global computing power used to secure the bitcoin network—currently around 170 exahashes per second—its history of transactions is near-impossible to alter.
Glupteba made innovative use of bitcoin’s blockchain to allow it to continue its nefarious activities unimpeded
In a conventional botnet, Google said in its filing, infected devices are programmed to look for pre-determined internet addresses that point to the hackers’ command-and-control server. This server can then instruct the devices in the botnet to perform disruptive and criminal tasks.
The instructions to locate those domains are hard-coded in the malware used to hack computers, Google said, and if the pre-determined domains are shut down by law enforcement bodies, the infected devices can no longer be operated by the botnet controller.
However, in the Glupteba botnet, Google said, the domain names used to run the hacked computers were refreshed by querying the bitcoin blockchain.
“The Glupteba malware is hard-coded to ‘search’ the public bitcoin blockchain for transactions involving three specific bitcoin addresses that are controlled by the Glupteba Enterprise,” Google said in its lawsuit.
“From time to time, the Glupteba Enterprise executes transactions in those addresses, and as part of those transactions, the Glupteba Enterprise leaves in the blockchain the location of the domain for a backup command-and-control server,” Google said.
“The Glupteba Enterprise provides the command-and-control server information in an encrypted code in a transaction-specific message field on the bitcoin blockchain,” the tech firm went on.
The net effect, said Google, is that whenever a command-and-control server was taken offline by those seeking to impede the hackers, the Glupteba malware could easily switch to a new server by means of the instructions that are publicly visible within bitcoin’s transaction record.
“The Glupteba botnet cannot be eradicated entirely without neutralizing its blockchain-based infrastructure”
“The Glupteba Enterprise’s use of blockchain technology to reinforce its command-and-control servers means the Glupteba botnet is particularly difficult to disrupt,” Google said.
And as long as bitcoin exists, this form of remote control of botnets cannot be stopped, Google went on.
“The Glupteba botnet cannot be eradicated entirely without neutralizing its blockchain-based infrastructure,” the tech giant said.
According to the lawsuit, Glupteba has sold Google users’ account information to third parties, enabling them to buy advertisements and launch fraudulent ad campaigns, all without the true account owners’ knowledge or authorisation.
One of the websites used by Glupteba to sell access to hacked computers, called ‘Don’t.farm’, even provides a manual instructing its users how to exploit accounts while minimising the risk of discovery by the account owner or by Google, the tech firm said.
For example, Don’t.farm told its clients not to increase advertising budgets by more than 30 percent at once, and that any domains used for advertisements should be at least two weeks old, if not significantly older.
In its lawsuit, Google is seeking injunctive relief and damages, including the disgorgement by Glupteba of its past profits.
Sign up here for the New Money Review newsletter
Click here for a full list of episodes of the New Money Review podcast: the future of money in 30 minutes
Related content from New Money Review