The target of the investigation, a botnet known as RSOCKS, has been dismantled as a result, the office said.
Victims that have been confirmed thus far, including at least six in San Diego County, range from large public and private entities — including a university, a hotel, a television studio and an electronics manufacturer — to home businesses and individuals, according to investigators. None were publicly identified.
Authorities did not announce any arrests nor name individual suspects tied to the operation. However, details of the investigation, which began in 2016, are laid out in a search warrant affidavit that was unsealed in San Diego federal court Thursday.
The botnet — a network of infected devices, or "bots," working together, typically for malicious purposes — compromised everything from smart garage door openers to routers to audio/video streaming devices to Android phones to computers. RSOCKS then stole each device's unique internet protocol, or IP, address and offered them to other cyber criminals, who used the identifiers to mask their own nefarious activities, according to investigators.
From RSOCKS online storefronts — which catered to English and Chinese speakers on different websites — cyber criminals could rent access to the stolen proxy IP addresses for days, weeks or months at time. A pool of 2,000 proxies could cost a criminal user $30 a day, or $200 per day for 90,000, the search warrant states.
With their digital footprints now disguised, these criminals then committed a range of cyber attacks — from large-scale attempts to gain access into accounts using stolen usernames and passwords to sending malicious emails to hacking social media accounts, according to investigators.
The true scope of the criminal activity that the botnet unleashed on the world through access to its trove of swiped IP addresses is unknown. Authorities on Thursday did not provide any specific cases of cyber crime tied to RSOCKS.
Undercover FBI agents in 2017 gained access to the RSOCKS system, which at the time was advertising to its customers some 325,000 stolen proxies available worldwide, according to the search warrant. Within weeks, agents identified at least 75,000 unique compromised victim devices, with "numerous" located in San Diego County and other parts of Southern California.
Agents interviewed 12 victims. Two of the victims told investigators their internet service providers had previously reported botnet activity on their IP addresses. Several told agents they noticed performance issues with their devices but couldn't figure out why.
Three victims cooperated with the FBI by allowing agents to replace their compromised devices with law enforcement-controlled computers that could track the botnet. RSOCKS quickly infected all three, investigators said.
Agents were able to determine that RSOCKS used brute-force attacks — a trial-and-error method using automated software to guess at passwords and other user data — to initially gain access to the victim devices. The botnet then maintained persistent connection to the devices.
The web hosting of the storefront itself traced back to an internet service provider based in West Palm Beach, Fla., according to the search warrant. That company's involvement in the investigation was not immediately clear.
The DOJ's investigation was assisted by law enforcement agencies in Germany, the Netherlands, and the United Kingdom, as well as Black Echo, a private sector cybersecurity company, the U.S. Attorney's Office said.
© 2022 The San Diego Union-Tribune. Distributed by Tribune Content Agency, LLC.
