Pandora’s Bot: How Cyber Weapons Can Wreak Havoc

Bottom Line: U.S. cyber defenders know how to take down botnets – networks of computers that have been hacked to act as one – but not how to keep them from coming back, nor necessarily how to determine who is behind them and hold them accountable. These networks under the remote control of hacktivist, criminal or state-sponsored hackers are able to wreak havoc on modern society by enabling theft, espionage, information warfare and disruption at an unprecedented scale.

Background: Botnets spread by scanning networks for computers running software with known vulnerabilities or easily guessable default passwords that can be automatically exploited, or by spamming inboxes with automated social engineering emails to trick protected users into compromising their own security. Once built, botnets are able to siphon off personal, financial or even confidential information, amplify disinformation on social media sites, and disrupt critical services by flooding third party servers with artificial traffic until they get knocked offline.

  • Presently, botnets are one of the most efficient tools for the delivery of malware, alongside worms (an automated mode of propagating throughout a network, recently used in the prominent WannaCry and NotPetya ransomware attacks). They work at network speed, and they muddy attribution to the attackers by disguising their locations behind thousands of commandeered computers belonging to unsuspecting bystanders.
  • The commanding hackers, sometimes referred to as “botmasters,” traditionally oversee their army of bots through centralized command and control servers and send instructions behind the protection of encrypted internet traffic.
  • Botnets are often rented out to other malicious actors for the right price. For example, the Coreflood botnet, which was built around 2002, was initially designed to serve as a tool for distributed denial of service (DDoS) attacks. However, it was later repurposed as a crime-as-a-service product for hackers looking to engage in illegal activity behind the anonymity of thousands of IP addresses around the world. In 2008, Coreflood’s focus shifted again to bank fraud by emptying accounts of compromised victims who they stole credentials from.

Issue: In addition to being used by cyber criminals, botnets have also been employed to steal government secrets and engage in cyber and information warfare. Over the last few years, botnets have been a centerpiece of much of the nefarious state-sponsored cyber activity.

  • Scale, speed and deniability make botnets a useful tool for espionage. An example of this was the GamerOver Zeus botnet, an expansive network of between 500,000 to a million compromised computers, allegedly created by Evgeniy Bogachev, a notorious Russian cybercriminal. While Bogachev was draining bank accounts, Russian intelligence officers from the FSB were reportedly provided access to his botnet of infected machines, searching the same computers for sensitive information, including on U.S. arms reportedly being funneled to Syrian rebels from Turkey and top-secret files on Ukraine’s intelligence directorate, the SBU. GameOver Zeus was later disrupted in June 2014 following a multinational law enforcement effort.
  • Botnets have also proven to be useful for disrupting critical internet services. In 2007, Russian hackers using botnets engaged in broad DDoS attacks against targets in Estonia. The blueprint was refined in 2008 when botnet-enabled DDoS attacks hit systems in Georgia in coordination with conventional Russian military movements. The approach was again used in the lead up to the 2014 annexation of Crimea. Other instances includes Iranian state-sponsored hackers flooding the servers of U.S. financial institutions from 2011 to 2013 by using Brobot botnets, or North Korea engaging in DDoS attacks using the DeltaCharlie botnet infrastructure.
  • While still uncertain if state-sponsored, the Mirai-based DDoS attacks – the largest to date – shows the disruptive effects botnets can have on modern communications platforms. The attack hit domain name service (DNS) provider Dyn in October 2016, temporarily taking out the internet on the East Coast of the U.S.
  • Botnets are also capable of spreading disinformation and propaganda, such as the Russian influence campaign designed to widen societal chasms in the lead up to the 2016 U.S. elections. Twitter officials acknowledged in Congressional testimony that more than 36,000 Kremlin-linked bots produced approximately 1.4 million automated, election-related content, which collectively received some 288 million impressions. Such centralized control of disinformation at scale allows the Kremlin, and others, to shape the information landscape in a way that is not otherwise possible.

Daniel Hoffman, former CIA Chief of Station

“Three recent examples of Russia using botnets to weaponize their covert influence operations come to mind. First, the August 2017 Twitter feed #FireMcMaster, which was designed obviously to impugn the national security advisor’s reputation. Second, we know a lot about Russia’s use of bots to target the 2016 Presidential elections. Third, I would note Russia’s use of bots to target NATO, particularly in Eastern Europe. Russia has been propagating themes about how Western ideas are bankrupt and the U.S. is trying to prevent Russia from playing the greater role it deserves in a multipolar world.”

Todd Rosenblum, former Acting Assistant Secretary of Defense for Homeland Defense and Americas’ Security Affairs

“Botnets can pose a serious threat to our nation’s digital security, public safety and civil society. They can be used as an accelerant to spread misinformation, deception and malware at network speed. They range from being high-volume advertising annoyances to propaganda placement meant to poison civil discourse (as Russia has fueled in the West), to their use as a medium for the hostile takeover of large numbers of computers for network attacks. They are easy to operate and used widely by legitimate businesses, criminals, as well as nation-states like Russia engaged in hot information war campaigns against the West.”

Response: The response to botnets by law enforcement often takes the form of two different tracks, which involve arresting the architects of botnet malware and dismantling the technical infrastructure they rely on to act collectively.

  • First, law enforcement seeks to arrest, prosecute and incarcerate criminals who create and use botnets for malicious purposes, but this is not always sufficient to counter the threat from botnets given their transnational nature and the difficulty in identifying the perpetrators behind the botnets. Therefore law enforcement also uses seizure, forfeitures and restraining orders to dismantle the technical criminal infrastructure maintaining the botnets.

Daniel Hoffman, former CIA Chief of Station

“Bad actors who deploy bots use good tradecraft. They camouflage the bots by making them appear like other real cyberspace actors. Skillfully infiltrating cyberspace, the bots do not look like the foreign enemy tool, which they in fact are. They use common hashtags to conceal their origin. Once they have attained some acceptance and status, they start pushing out their propaganda themes. Very often social network and media site users unknowingly amplify the message and propagate it further. Bots are extremely low-cost and a very effective tool to disseminate covert influence themes. We need to determine the origin of the bot, or ‘skin behind the keyboard’ – the human being who is writing the bot codes and loading the bot with covert influence themes. This is always challenging because nefarious state and non-state actors are always trying to conceal their identity by using false flag cyber operations where we believe the bot is a fellow citizen. In fact the bot is simply the inanimate tool of a foreign intelligence service.”

  • The technical process to disrupt botnet infrastructure begins with a technique known as “sinkholing,” which involves targeting the weakest point of a traditional botnet – its centralized control structure. These servers deliver instructions to the infected bots, which then also “phone home” to command and control servers. The first step of sinkholing is taking control of one or more domain names used by the control server and then redirecting communications from the bots to a server controlled by security researchers or law enforcement, called the “sinkhole.”
  • Creating a sinkhole can prevent the botmaster from delivering instructions to infected computers. It also allows law enforcement to observe infected computers that are in contact with the hijacked server and record the IP addresses of the bots around the world and determine the general location and size of botnets. The sinkhole tactic also allows law enforcement to notify victims – either through internet service providers or directly to their computers – that they have been implicated in a botnet and should take steps toward remediation.
  • The most aggressive and efficient use of sinkhole by law enforcement is to use their access to victim computers to remotely delete the malware and patch security flaws that made them vulnerable in the first place. This involves injecting new software onto computers – effectively hacking them – and creates the risk of inadvertently damaging victim computers and concerns of government infringements on privacy.

However, while sinkholing can disrupt botnets, complete takedowns are difficult as the botmasters are often able to regain control of botnets by decentralizing their control through what is known as peer-to-peer control and rebuild their unwitting army. Unless the creators of the botnet are physically apprehended, botnets likely will reemerge using more sophisticated variants of previous iterations, in a constant game of cat-and-mouse between law enforcement takedowns and botmaster innovation.

Todd Rosenblum, former Acting Assistant Secretary of Defense for Homeland Defense and Americas’ Security Affairs

“Takedowns reduce the climate of permissiveness and drives illegal actors farther underground. For takedowns to be effective, they must be done near the top of the production and distribution food chain. Any lower and it is more like swatting at a swarm of bees. The best long-term solution is increasing online bot detection via automated defenses. This will not be foolproof but it will clear enough underbrush so there is more focus on the highly complex and malicious.”

Anticipation: Perhaps the most challenging aspect of botnet disruption is the significant international coordination between law enforcement agencies and the private sector that it requires. While cooperation against botnets can pose logistical, legal, and diplomatic difficulties, processes have begun falling into place to better address the issues of targeting servers in multiple countries, with victims spread across the globe and perpetrators in numerous legal jurisdictions.

  • In April 2013, the FBI’s Cyber Division, in coordination with other government bodies through the National Cyber Investigative Joint Task Force (NCIJTF), launched Operation Clean Slate to disrupt and dismantle the most significant botnets threatening the U.S. economy and national security. The operation began with the June 2013 takedown of the Citadel botnet, which accounted for over 11 million compromised computers worldwide with command and control servers concentrated in North America, Western Europe, and Asia.
  • Since, law enforcement have become more effective in disrupting large botnets. For example, in April, the U.S. Justice Department announced efforts to dismantle the Kelihos botnet by sinkholing the command and control servers using a general warrant obtained under the newly amended Rule 41 of the Federal Rules of Criminal Procedure. The amendment allows a warrant to be granted to for electronic searches in multiple justifications so that it is not necessary for law enforcement to go to a judge in each jurisdiction where an infected machine resides.
  • In late November, the FBI, in close cooperation with law enforcement counterparts in Germany and coordinated through Europol’s European Cybercrime Centre, dismantled the Andromeda botnet, also known as Gamarue. Within the first 48 hours of sinkholing 1,500 command and control domains, Microsoft discovered 2 million victims across 223 countries that had been drawn into the massive botnet. The alleged architect, identified by Recorded Future, an open source cyber intelligence firm, as Jarets Sergey Grigorevich, was arrested in Belarus in early December.

Todd Rosenblum, former Acting Assistant Secretary of Defense for Homeland Defense and Americas’ Security Affairs

“International cooperation is vital for finding and attriting hostile botnets. Illicit botnets are created and used worldwide, but there are more permissive environments for their creation and initial distribution. Eastern Europe and former Soviet states are well known to be such hotbeds. Intelligence-informed law enforcement normally leads in taking action against illegal botnet producers and users. Government intelligence arms generally lead in countering state sponsors of harmful botnet actors. Often, diplomacy and international sanction are vital parts of the equation. Of course, cooperation between the public and private sectors is essential for success. Certain times government will drive detection and response, other times it will be the private sector.”

Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.