The Washington PostDemocracy Dies in Darkness

Google disrupted a massive botnet that hackers used to steal information and mine cryptocurrency

Tech giants are increasingly going after hackers, a role previously reserved for law enforcement agencies

(Jeff Chiu/AP)

Google is suing two Russia-based individuals it alleges are behind a massive network of infected computers that have been used for crimes ranging from the theft of personal information to secretly mining bitcoin on the computers of unsuspecting hacking victims.

The company also worked with Internet infrastructure companies to take down servers used by hackers to control the network, effectively rendering the “botnet” of infected devices unable to receive new commands from their controllers, at least temporarily.

The move comes a day after Microsoft said it had taken down websites associated with what it believed was a China-based hacking group that stole personal information. Companies such as Microsoft and Google, which see huge swaths of the Internet pass through their systems each day, are increasingly investigating and trying to disrupt hackers, a practice that in the past has mostly been the domain of government law enforcement agencies.

The Glupteba botnet that Google targeted has been tracked by law enforcement and computer security experts for years. It works by tricking users into downloading malware onto their computers by masquerading as other kinds of software on dodgy free-download sites. Once on a computer, the malware hides itself and tries to spread to any connected devices, according to a 2020 report on Glupteba by cybersecurity firm SophosLabs.

Report says Russian hackers haven't eased spying efforts

Google found that Glupteba has infected about a million Microsoft Windows devices worldwide, which would put it among the largest botnets analyzed by security experts. In a complaint filed in federal court in New York on Tuesday, Google detailed several different crimes it alleges hackers use the botnet to perpetuate, including stealing and selling log-in information for Google accounts, and selling access to captured devices to other criminals who want to hide their Internet activity.

The hackers used Google’s own services to distribute the malware. Google took down approximately 63 million Google Docs, more than 1,000 Google accounts and over 900 Google Cloud projects that were being used to spread Glupteba, the company said.

“We don’t just plug security holes, we work to eliminate entire classes of threats for consumers and businesses whose work depends on the Internet,” Google general counsel Halimah DeLaine Prado and Royal Hansen, vice president of engineering, said in a blog post Tuesday.

The company warned, however, that Glupteba could return to operation soon, because the hackers who designed it have incorporated a fail-safe mechanism that uses the bitcoin blockchain to issue commands. When communication between the botnet and its hacker controllers is cut off, the network will automatically look for messages telling it how to reconnect that are posted by the hackers on the publicly accessible list of bitcoin transactions.

Pegasus spyware used to hack U.S. diplomats working abroad

“This action will have a significant impact on Glupteba’s operations,” Shane Huntley, the director of Google’s Threat Analysis Group, said in a separate blog post. “However, the operators of Glupteba are likely to attempt to regain control of the botnet using a backup command and control mechanism that uses data encoded on the Bitcoin blockchain.”

Google’s lawsuit names two people — Dmitry Starovikov and Alexander Filippov — who it alleges are among the leaders who control the Glupteba network. Both men set up Google email accounts on the same IP address used by a server that sent commands to the botnet, Google said in its court filing. The company also alleges it tied Starovikov’s and Filippov’s Google accounts to some of the websites selling stolen access to the computers on the botnet.

The details in the lawsuit show how Google can leverage the fact that most people who use the Internet interact with its services to track down people it believes are breaking its terms of service or committing crimes.

Google also alleged that Filippov and some of the websites that it linked to the botnet list their business address as being in the Russian Federation Tower, a high-end skyscraper complex in Moscow. On Monday, the New York Times reported that cybercrime investigators have traced other kinds of criminal hacking organizations to the same address.

Joseph Marks contributed to this report.