Google Inc. logo at its UK headquarters in London on June 21, 2016 (Chris Ratcliffe / Bloomberg)
Google is suing two Russia-based people who are believed to be behind a huge network of infected computers used for crimes ranging from stealing personal information to stealthily mining bitcoin on the computers of unsuspecting hackers.
The company also worked with Internet infrastructure companies to shut down servers used by hackers to control the network, preventing the “botnet” of infected devices from receiving new commands from their controllers, at least temporarily.
The move comes a day after Microsoft said it had deleted websites associated with a group of hackers allegedly based in China that stole personal information. Companies like Microsoft and Google, which see massive amounts of the Internet running through their systems on a daily basis, are investigating and increasingly trying to disrupt hackers, a practice that in the past has primarily been reserved for state law enforcement agencies.
The Glupteba botnet targeted by Google has been tracked by law enforcement and computer security experts for years. It works by tricking users into downloading malware onto their computers by impersonating other types of software on seedy free download sites. Once on a computer, the malware hides and tries to spread to all connected devices, according to a 2020 report by cybersecurity firm SophosLabs on Glupteba.
Google found that Glupteba infected approximately one million Microsoft Windows devices worldwide, making it one of the largest botnets analyzed by security experts. In a complaint filed Tuesday in federal court in New York, Google detailed several different crimes alleged hackers are using the botnet to perpetuate, including stealing and selling Google account credentials and selling the Access to stolen devices to other criminals who wish to hide their Internet activities.
The hackers used Google’s own services to spread the malware. Google deleted around 63 million Google Docs, 1,000+ Google Accounts, and 900+ Google Cloud projects that were used to spread Glupteba, the company said.
“We’re not just closing security holes, we’re working to eliminate entire classes of threats to consumers and businesses that depend on the Internet for their work,” said Halimah DeLaine Prado, general counsel of Google and Royal Hansen, vice president of engineering, in a blog post Tuesday.
However, the company warned that Glupteba could be back up and running soon as the hackers who developed it built in a fail-safe mechanism that uses the Bitcoin blockchain to issue commands. When communication between the botnet and its hacker controllers is broken, the network automatically looks for messages telling it how to reconnect, which the hackers publish on the publicly available list of Bitcoin transactions.
“This move will have a significant impact on Glupteba’s business,” said Shane Huntley, director of Google’s Threat Analysis Group, in a separate blog post. “However, the operators of Glupteba will likely try to regain control of the botnet by using a backup command and control mechanism that uses data encrypted on the Bitcoin blockchain.”
The Google lawsuit names two people – Dmitry Starovikov and Alexander Filippov – who are alleged to be among the leaders in control of the Glupteba network. Both men set up Google email accounts on the same IP address used by a server sending commands to the botnet, Google said in its court record. The company also claims to have linked Starovikov and Filippov’s Google accounts to some of the websites that sold the stolen access to the computers on the botnet.
The details in the lawsuit show how Google can leverage the fact that most of the people who use the internet interact with its services to track down people it believes are violating the Terms of Service or committing crimes.
Google also claimed that Filippov and some of the websites linked to the botnet give their business address in the Russian Federation Tower, a high-end skyscraper complex in Moscow. On Monday, the New York Times reported that cybercrime investigators traced other types of criminal hacker organizations to the same address.
Joseph Marks of the Washington Post contributed to this report.