In a lawsuit that was unsealed in the US District Court for the South District of New York on Tuesday, Google named two defendants, Dmitry Starovikov and Alexander Filippov, and 15 unnamed people.
Alphabet Inc.’s Google is suing two Russian citizens allegedly part of a criminal company that has secretly infiltrated more than a million computers and devices around the world and created “a modern technological and limitless incarnation of organized crime.”
In a lawsuit that was unsealed in the US District Court for the South District of New York on Tuesday, Google named two defendants, Dmitry Starovikov and Alexander Filippov, and 15 unnamed people. Google claims the defendants created a “botnet” called Glupteba to use for illegal purposes, including stealing and unauthorized use of Google users’ login and account information.
A botnet is a network of Internet-connected devices that have been infected with malware. When called together, they can bid a hacker’s bidding, with device owners often not realizing that their machines have been hijacked. A swarm of devices can block website traffic, run malware to steal credentials, sell fraudulent credit cards online, and give unauthorized access to other cyber criminals.
The Glupteba botnet stands out because of its “technical sophistication” by using blockchain technology to protect itself from disruption, Google said in the complaint. The performance of the Glupteba botnet could be used at any time for a ransomware attack or a distributed denial-of-service attack, said Google.
Chainalysis Inc., a blockchain forensic analysis company, said its products and services were used to investigate the botnet.
Whenever one of Glupteba’s command-and-control servers – which hackers use to manage compromised networks – shuts down, a Chainalysis directive says it could scan the blockchain to find a new command-and-control server domain address.
“This tactic makes it extremely difficult to disrupt the Glupteba botnet using conventional cybersecurity techniques,” which Chainalysis says is geared towards disabling command and control server server domains. “This is the first known case of a botnet using this approach.”
It’s also the first time Google has tracked a botnet, a Mountain View spokesman for the California-based company said in an email. “We are taking these measures to further protect internet users and to send a message to cyber criminals that we will not tolerate this type of activity.”
The spokesman said the company was working with the US Department of Justice on the investigation. The Justice Department declined to comment. Starovikov and Filippov could not be immediately located for comment.
The tech giant filed the lawsuit in court to “create legal liability for the cybercriminals,” the spokesman said. To “bring to light their identities and the infrastructure they use”.
Google said Starovikov and Filippov were connected to Glupteba through the servers used to set up their Gmail addresses.
“Glupteba is notorious for stealing user credentials and data, mining cryptocurrencies on infected hosts, and setting up proxies to route other people’s Internet traffic through infected machines and routers,” wrote Google’s General Counsel Halimah DeLaine Prado and Google Vice President of Engineering Royal Hansen in a blog post.
In June 2020, the security firm Sophos published a report on the Glupteba malware and found that it “could continually thwart efforts to remove it from an infected computer,” wrote researcher Luca Nagy at the time. “Glupteba also pursues different approaches to hold back and not be noticed.”
Google said it was bringing the lawsuit under the Racketeer Influenced and Corrupt Organizations Act known as RICO, the Computer Fraud and Abuse Act, Electronic Communications Privacy Act, and others to disrupt the botnet and prevent further harm and to reimburse damages.
Some of the most notorious cyber criminals have ties with Russia, which is accused of providing a safe haven for them. The Kremlin has repeatedly denied responsibility for hacker attacks.
