US and Netherlands seize network providers that helped hackers mask activities

themotioncloud/Getty Images

Featured eBooks
Workforce Tech
Read Now

Customer Experience

Read Now

Identity in Government

Read Now
Insights & Reports
Trust under attack
Presented By Human
Download Now
The Essential Guide to Security Information and Event Management (SIEM)
Presented By Splunk | Carahsoft
Download Now
David DiMolfetta By David DiMolfetta,
Cybersecurity Reporter, Nextgov/FCW

By David DiMolfetta

|

The Justice Department and Dutch law enforcement shuttered 5socks and Anyproxy, services with Russian ties that sold proxies to cybercriminals. Lumen provided internet backbone data to the agencies.

The FBI and Dutch National Police recently seized the website infrastructure of 5socks and Anyproxy, a pair of providers that for years offered location and identity-masking tools to cybercriminals, the Justice Department said Friday.

Three Russian nationals — Alexey Chertkov, Kirill Morozov and Aleksandr Shishkin — and Kazakhstani national Dmitriy Rubtsov were charged for operating the proxy services, which were built on hijacked, older-model wireless routers around the world, according to a DOJ release. Prosecutors believe the defendants made more than $46 million through the schemes.

The compromised routers formed a botnet that served as the backbone for the proxies, designed to hide users’ locations. Such tools, which redirect internet traffic through intermediary servers, have long allowed hackers to camouflage their whereabouts.

5socks, which claimed to have been operating since 2004, said users can purchase “elite anonymous proxies at affordable price” and access some 7,000 proxy service offerings with cryptocurrency payments, according to an archived version of the group’s homepage. 

Users could also navigate 5socks in Russian, signaling that Russian-speaking hacking groups relied on 5socks tooling to mask their exploits. Its site is also registered to an address in Moscow, according to publicly available data. Both website domains were managed by an unnamed company headquartered in Virginia and hosted on computer servers around the world, the DOJ charges say.

The sites now display a takedown banner with DOJ, FBI and Dutch National Police seals. The FBI’s Oklahoma City Cyber Task Force found that malware had been secretly installed on business and home routers across Oklahoma, DOJ said.

Telecommunications and networking firm Lumen provided internet backbone data to law enforcement, the company said in a Friday blog post. Lumen observed roughly 1,000 distinct bots per week reaching out to a command-and-control server based in Turkey, with a majority of the compromised systems located in the U.S. and smaller concentrations in Canada and Ecuador.

Proxies have long been used to help people browse the internet anonymously and access censored content in restrictive countries, but they have also served as effective tools for hackers to hide their identities and launch cyberattacks without being detected.

Under U.S. law, the Justice Department can obtain legal authority through court warrants to shutter websites believed to facilitate cybercrimes. Last year, the FBI conducted 17 “joint-sequence operations” that involved website takedowns, FBI Deputy Director for Cyber Operations Brett Leatherman said last week at the RSAC Conference in California.

In an interview with Nextgov/FCW on the sidelines of the conference, Leatherman said more enforcement actions against hackers should be expected going forward.

NEXT STORY: House appropriators question justification for proposed CISA budget cuts