Google disrupts Russian botnet that infected 1 million Windows machines

Google is suing two Russian individuals it claims are behind a sophisticated botnet operation that has silently infiltrated more than 1 million Windows machines worldwide.

In a complaint filed in the U.S. District Court for the Southern District of New York, Google names Russian nationals Dmitry Starovikov and Alexander Filippov as the two main operators of the Glupteba botnet, citing Gmail and Google Workspace accounts they allegedly created to help them operate the criminal enterprise.

Google claims the defendants used the botnet network — which it describes as a “modern, borderless technological embodiment of organized crime” — for illicit purposes, including the theft and unauthorized use of Google users’ logins and account information. It’s demanding that Starovikov and Filippov pay damages and are permanently banned from using Google services. 

The Glupteba botnet, which the tech giant has been tracking since 2020, has so far infected approximately 1 million Windows machines worldwide, according to Google, and is growing at a rate of thousands of new devices each day. Once a device has been infected — typically by tricking users into downloading malware via third-party “free download” sites — the botnet steals user credentials and data, secretly mines cryptocurrencies and sets up proxies to funnel other people’s internet traffic through infected machines and routers.

“At any moment, the power of the Glupteba botnet could be used in a powerful ransomware attack or distributed denial of service attack,” Google added in its complaint. 

The tech giant also notes that the Glupteba botnet stands out compared to conventional botnets due to its “technical sophistication,” which sees it utilize blockchain technology to protect itself from disruption, Google said in the complaint. 

As well as launching litigation against the so-called Glupteba botnet, the company’s Threat Analysis Group (TAG) — which has observed the botnet targeting victims in the U.S., India, Brazil, Vietnam and Southeast Asia — announced it has worked with internet hosting providers to disrupt the botnet’s key command and control (C2) infrastructure. This means its operators no longer have control of the botnet, though Google has warned that Glupteba could return due to the fact it uses blockchain technology as a resiliency mechanism. 

“The Glupteba botnet does not rely solely on predetermined (web) domains to ensure its survival,” Google wrote in its complaint. “Instead, when the botnet’s C2 server is interrupted, Glupteba malware is hard-coded to ‘search’ the public Bitcoin blockchain for transactions involving three specific Bitcoin addresses that are controlled by the Glupteba Enterprise. Thus, the Glupteba botnet cannot be eradicated entirely without neutralizing its blockchain-based infrastructure.”

The move, which marks the first time Google has taken action against a botnet operation, comes a day after Microsoft revealed that it has seized control of malicious websites being used by China-backed hackers to target governments and human rights organisations in the U.S. and 28 other countries.