beebright - stock.adobe.com
Russian cyber criminal pleads guilty to running IPStorm botnet
Sergey Manikin faces years in jail after his illicit proxy botnet service was taken down by US law enforcement
Sergey Manikin, a joint Moldovan-Russian national who ran a botnet proxy network known as IPStorm that compromised computer systems all over the world, has pled guilty to three counts of violating US fraud laws against knowingly causing the transmission of a program to intentionally cause damage without authorisation to protected computers.
IPStorm, which has now been dismantled by the FBI and partners from the Dominican Republic and Spain, victimised systems by coopting them into a botnet that ran them as proxies for people seeking to mask their internet activity.
Manikin sold illegitimate access to his botnet through two websites, charging hundreds of dollars a month to route traffic across thousands of infected machines. He boasted of over 23,000 anonymous users, and has admitted he made more than $500,000 from his customers.
“This investigation shows that we will use every lawful tool at our disposal to disrupt cybercriminals, regardless of their location,” said US attorney Stephen Muldrow. “This case serves as a warning that the reach of the law is long, and criminals anywhere who use computers to commit crimes may end up facing the consequences of their actions in places they did not anticipate.”
“It is no secret that in present times, much criminal activity is conducted or enabled through cybernetic means. Cyber criminals seek to remain anonymous and derive a sense of security because they hide behind keyboards, often thousands of miles away from their victims,” said Joseph González, special agent in charge of the FBI’s Field Office in San Juan, Puerto Rico.
“The FBI’s cyber mission has been to impose risk and consequences on our adversaries, ensuring cyberspace is no safe space for criminal activity. This case is one example of how we are doing just that, and I’d like to thank the DOJ’s Computer Crime and Intellectual Property Section, the US Attorney’s Office for the District of Puerto Rico, and the FBI San Juan Cyber Team for their meticulous and relentless work in this case.”
The users of IPStorm themselves were not targeted in the law enforcement investigation, the scope of which was limited to disabling Manikin’s malicious infrastructure.
IPStorm – or Interplanetary Storm – first came to attention in the spring of 2019 when researchers found a new Golang malware targeting Windows, and later Linux, by abusing the legitimate peer-to-peer Interplanetary File System (IPFS) network to obscure its traffic and make it harder to detect.
It most likely arrived on its victims’ devices via secure shell (SSH) brute force attacks. Once infected, the malware essentially squatted on IPFS and exploited it to receive execute arbitrary PowerShell commands from the botnet controller.
In theory, this means Manikin could have caused much more damage than he did by selling access to cyber criminal gangs, but in practice IPStorm’s activity seems to have been limited to anonymised browsing services.
Alexandru Catalin Cosoi, senior director of Bitdefender’s investigation and forensics unit, which first started tracking IPStorm in 2020, was among a number of private sector cyber researchers to have provided support to the law enforcement operation against Manikin.
“The Interplanetary Storm botnet was complex and used to power various cyber criminal activities by renting it as a proxy as a service system over infected IoT devices,” said Cosoi.
“Our initial research back in 2020 uncovered valuable clues to the culprit behind its operation, and we are extremely pleased it helped lead to arrests. This investigation is another primary example of law enforcement and the private cyber security sector working together to shut down illegal online activities and bring those responsible to justice.”
Read more about botnets
- A multinational law enforcement hacking operation disrupted the botnet infrastructure used to distribute the Qakbot trojan at the weekend, in a major setback for the cyber criminal underworld.
- A coordinated DDoS attack orchestrated through the Zhadnost botnet hit Finland at the same time as Ukrainian president Volodymyr Zelensky delivered a virtual address to the Finnish parliament.
- An FBI operation copied and removed Cyclops Blink's malware from victims' systems that were used as command and control devices, severing Sandworm's control of the botnet.