WASHINGTON (CN) – The FBI executed a warrant Wednesday to disrupt a massive global botnet controlled by the Russian hacking group that U.S. intelligence agencies say breached the Democratic National Committee during the 2016 election.
U.S. Magistrate Lisa Pupo Lenihan in the Western District of Pennsylvania approved the warrant initially under seal, based on a May 22 affidavit by Special Agent Michael McKeown that explains how the FBI tied the domain toknowall.com and the botnet VPN Filter to the Russian cyberespionage group known as Sofacy or Fancy Bear.
As explained in the affidavit, Sofacy has been using a type of malware called BlackEnergy since about 2007 to extract intelligence from government, military and security organization targets.
BlackEnergy was used in the 2015 attack on the Ukraine’s power grid, and Agent McKeown says the government’s cyberintelligence experts have never observed an encryption algorithm called the RC4 stream cipher outside BlackEnergy malware.
Last summer, however, the FBI found the same algorithm in the VPN Filter botnet that had infected various home routers and NAS devices, short for network access storage.
Prosecutors say the domain toknowall.com is “the malware’s command-and-control infrastructure.” Seizing it will allow the FBI to redirect the malware to FBI-controlled servers so that they can then identify infected devices.
Assistant Attorney General for National Security John Demers said in a statement that the Department of Justice is committed to actively disrupting cyberthreats rather than watching from the sidelines.
“This operation is the first step in the disruption of a botnet that provides the Sofacy actors with an array of capabilities that could be used for a variety of malicious purposes, including intelligence gathering, theft of valuable information, destructive or disruptive attacks, and the misattribution of such activities,” Demers said.
One victim in Pittsburgh whom the FBI interviewed in August allowed agents to tap her home network. They observed traffic leaving her home router and saw the infected router trying to connect to a specific account on the website Photobucket containing images that store a second stage of malware.
If attempts to download those images fail, the malware then directs the infected router to toknowall.com, according to the affidavit.
The government also got an order on Wednesday as part of the investigation authorizing the use of trap and trace devices and pen registers.
According to the application for that order, attackers with access to the botnet “would be able to steal and delete files, elevate or escalate privileges, conduct keylogging, and potentially destroy victim files or even render the infected device inoperable.”
The government did not seek the content of any communications, according to the application, only identifying information for all communications the malware sends to the FBI servers.
McKeown’s affidavit says BlackEnergy malware enables “credential stealing, data exfiltration, and network traffic monitoring,” but it also can compromise certain types of routers, specifically central processing units often found in mobile phones, tables and home routers.