Google, Microsoft: Internet Whac-a-Mole vs. Cybercriminals

Can Google and Microsoft take down criminal Internet servers faster than hackers launch them? The answer to that question resembles the classic carnival game Whac-a-Mole, And on certain days, Google and Microsoft can declare victory.

One recent victory involved Microsoft disrupting an alleged hacking group called Nickel. A this week, Google disclosed an apparent victory over a botnet called Glupteba, SC Media noted.

In Google's case, the Internet search and cloud computing giant took steps to disrupt the operations of a blockchain-enabled, “multi-component” botnet. That Glupteba botnet has commandeered about one million Windows devices worldwide and expanded its reach by thousands of new infections daily.

The Glupteba gang leverages infected devices to engage in a long list of criminal activities, including stolen accounts, credit card fraud, disruptive online ads, proxy schemes and crypto hijacking. The botnet is operating worldwide, hitting targets in the U.S., Brazil, India and Southeast Asia.

Google's Offensive vs. Glupteba

Over the past year, Google’s Threat Analysis Groip (TAG) and CyberCrime Investigation Group have shut down roughly:

  • 63 million Google Docs tied to Glupteba; and
  • 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts associated with its distribution.

Moreover, roughly 3.5 million users have been warned before downloading a malicious file, the company said.

As part of a two-pronged offensive to weaken Glupteba’s potency, here’s what Google has undertaken:

  • Collaborated with internet infrastructure providers and hosting providers to take down servers and place warning interstitial pages in front of the malicious domain names. In addition, some 130 Google accounts associated with this operation were terminated. “We have now disrupted key command and control infrastructure so those operating Glupteba should no longer have control of their botnet for now," Google’s Threat Analysis Group (TAG) said.
  • Filed a lawsuit in the Southern District of New York against two Russian individuals, Dmitry Starovikov and Alexander Filippov and 15 unnamed defendants who are believed to have created and run the Glupteba botnet. Google is alleging violations under the Racketeer Influenced and Corrupt Organizations Act (RICO), the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, the Lanham Act and others. The internet giant believes that it is the first such legal action against a blockchain-enabled botnet and could set a precedent.

Google did not say if its Glupteba-blocking activities involve third-party cyber forensics companies and/or MSSPs.

“Due to Glupteba’s sophisticated architecture and the recent actions that its organizers have taken to maintain the botnet, scale its operations, and conduct widespread criminal activity, we have also decided to take legal action against its operators, which we believe will make it harder for them to take advantage of unsuspecting users,” Royal Hansen, Google security vice president, and Google General Counsel Halimah DeLaine Prado wrote in a blog post.

Keeping the Pressure On Botnet Operators: Temporary Victory?

Together the server takedowns and potential legal liability “will have a significant impact on Glupteba's operations,” Google’s TAG said in a separate blog post. Still, TAG said it’s not laboring under any illusions that Glupteba crew will just go away. The decentralized nature of blockchain allows the botnet to recover quickly from disruptions, making it more difficult to shutdown. “The operators of Glupteba are likely to attempt to regain control of the botnet using a backup command and control mechanism that uses data encoded on the Bitcoin blockchain,” TAG said.

In the court filing, Google described the defendants as “Russian cybercriminals who have silently infiltrated more than a million computers and other devices around the globe to create a network—the Glupteba “botnet”—to use for illicit purposes, including the theft and unauthorized use of Google users’ login and account information. Defendants use the Glupteba botnet to further a range of cybercrimes and to conceal criminal conduct.”

Google noted that Glupteba was first seen by cybersecurity experts in 2011 as linked to a spam campaign. By 2020, its reach had widened considerably and the malware was being spread on third-party software download sites, online movie streaming sites and video downloader sites.

Microsoft Counters Nickel Hacking Group

Google’s Glupteba actions come on the heels of Microsoft’s move to seize websites used by an alleged China-based hacking group called Nickel, said to have attacked organizations in nearly 30 countries. A federal court in Virginia granted Microsoft’s request to take over the websites that were allegedly used to launch and maintain intelligence gathering from government agencies, think tanks and human rights organizations.

Earlier this year, international law enforcement and judicial authorities in eight countries collaborated to dismantle the Emotet botnet, widely regarded as the world’s most dangerous and notorious malware operation. Investigators in the U.S., U.K., Canada, France, Germany, Lithuania, the Netherlands and Ukraine, backed by Europol and Eurojust (European Agency for Criminal Justice Cooperation), collaborated to successfully commandeer Emotet’s infrastructure.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.