Imagine an army of computers, acting under the instructions of a criminal syndicate, terrorist group, or foreign government. The sheer size of this network of devices augments the computing power of a single hacker, allowing them to coordinate attacks capable of knocking offline crucial websites belonging to banks, social media, and news organizations.
These so-called botnets can disrupt the internet’s infrastructure, facilitate theft and surveillance on a mass scale, and even sway political opinion. Such subtle influence could shape electorates and influence entire government policies – all staged from the comfort of a keyboard anywhere in the world.
What are botnets and how can they be used for nefarious purposes? What can private industry and government do combat them?
A bot is simply code that can be injected into any device, which then takes control of a user’s internet browser. From here, the bot can monitor all of the device’s online activity, including the input of login credentials to email, social media, and bank accounts. It can make its own interactions with the internet, out of sight of the person who owns the infected device.
Omri Iluz, the CEO and Co-founder of PerimeterX, says that the latest generation of bots can create fake user accounts through the devices they compromise. “They will take your Google information and make a Facebook profile, and now they control the posts,” Iluz says. “If they control a million Facebook accounts, they can post whatever they want and ‘like’ each other.”
A number of countries, including the U.S. – and more recently France – have accused Russia of using botnets to spread disinformation during political campaigns, either to sway voters, sow doubt in the electoral process, or create confusion in an already cluttered information space. “Suddenly you have articles that could contain any kind of content that you want or drive any political agenda,” says Iluz. “A million ‘likes’ on a post gets attention anywhere in the world.”
Most bots spread through devices connected to the Internet of Things. These include webcams, DVRs, routers, and other smart appliances. The security for such devices is low enough that the bots can simply refer to a list of default passwords such as “123” or “admin” and guess its way into the system.
For example, a large-scale botnet known as Mirai corrupted insecure Internet of Things devices and staged disruptive distributed denial of service (DDoS) attacks that flooded servers with false traffic until they crashed. Mirai has targeted internet infrastructure, notably the DNS provider Dyn last October and rendered a number of popular websites, including Twitter and The New York Times, temporarily inaccessible. Similar attacks targeted a telecom provider in Liberia, causing the entire country to go offline momentarily.
Powerful DDoS attacks can overwhelm security teams, potentially creating a diversion thats help hackers slip into networks while defenders are preoccupied with the botnet onslaught. “Some of the attacks could just be feints,” says Kevin Reid, the Vice President of National Security and Chief Information Officer at KeyLogic. “In order to fix this problem, the U.S. needs ways to not only to detect, but also to track multiple attacks happening. Otherwise, defenders could miss something that is going on in the background because they have several botnets attacking simultaneously to create diversions.”
While many experts focus on the disruptive capabilities of botnet DDoS attacks and the disinformation campaigns they can mount, botnets can facilitate other types of malicious activity. They are probably best known for profit-motivated cybercrime via botnets-for-hire. By pilfering credentials – such as those found in the billion-user data leak after Yahoo suffered breaches – criminals can steal financial information, disseminate spam, and deploy ransomware to extort money from businesses around the world.
Spies, particularly those employed by the Russian intelligence services, also commonly leverage criminal botnets to facilitate intelligence collection efforts. By declining to arrest cybercriminals, the Russian government essentially harbors them and gives them free rein to expand their botnets, all while peeking over their shoulders.
For instance, the Russian cybercriminal Evgeniy Bogachev, most famous for the creation of the GameOver ZeuS botnet that controlled up to a million computers at once, facilitated Russian espionage in Turkey aimed at following weapons caches moving to Syria in 2013 after the Obama administration began arming Syrian rebels. In effect, Russian intelligence operated under the guise of a cybercrime scheme, sparing themselves the work of hacking into computers and instead, piggy-backed on a successful criminal scheme to drain victims’ bank accounts.
With pervasive use of botnets in disinformation campaigns, cybercrime, and espionage, there must be ways developed to mitigate their harm. One option is simply to create another botnet to hijack the computers compromised by criminal botnets and lock them out. For example, a vigilante hacker has apparently deployed a botnet called Hajime to commandeer insecure devices and lock out the Mirai botnet from taking control of them.
Adam Meyers, Vice President of Intelligence at Crowdstrike, says that his firm helped the Justice Department combat the Kelihos botnet by taking over the domains that were used for the botnet command-and-control. Here a “sink-hole” was created, meaning “a server controlled by law enforcement was established that the botnet would then talk to in order to ask for instructions, revealing where those communications were coming from,” says Meyer. With this information, he says, federal investigators were able to “inform service providers that they had systems on their infrastructure that were compromised with Kelihos and that they needed to be remediated.”
Private industry is taking a different approach. Iluz argues that “identifying a bot is hard, almost impossible, but identifying humans is still possible.” Bots can be modified to change their behavior in order to go undetected, but, Iluz says, “if you are able to identify human behavior, then you are able to block any bot.”
Levi Maxey is a cyber and technology producer at The Cipher Brief. Follow him on Twitter @lemax13.