Emerging political risks of botnets, bot logs, and bot markets
On December 8, the Lithuanian company NordVPN, one of the world’s largest VPN providers, disclosed that approximately 5 million people globally were hacked and had their data stolen and sold on bot markets. According to NordVPN’s report, India was the most affected country, with 600,000 citizens victims to such attacks. Around 26.6 million credentials have been leaked onto these markets, including 720,000 Google accounts, 654,000 Microsoft accounts and 647,000 Facebook accounts.
Bot markets are a new phenomenon that emerged around 2017, and have been increasingly used by hackers because they allow larger amounts of data to be stored in one place. Once a hacker gains access to a victim’s device, an infostealer malware is installed onto the exposed device, downloading personal data such as the user’s registered cookies, digital fingerprints, logins, screenshots and autofill forms. Each victim’s data is separated into a separate folder called a bot log, which the hacker then puts a price on and sells in a bot market. More expensive bot logs will usually include stolen credit card credentials that buyers can use to extract from bank accounts.
Understanding how infostealers work
While infostealers are composed of code which differs in execution, all infostealers are designed to steal victim information and save it into bot logs.
RedLine, the most used infostealer malware, is deployed to access a user’s saved credentials, autofill data, and credit card information. It can also access session tokens (single use codes that are sent to users as part of two- or multi- factor authentication). RedLine is particularly desirable for bot logs since it can continuously extract data from an infected device.
Vidar, the second most used infostealer, can access accounts by stealing passwords, cookies, search history, autofill data, along with cryptocurrency wallet and credit card details that have been stored on a targeted user’s web browser. Vidar is harder to detect: after the hack or "theft", the malware wipes all its fingerprints off the victim’s device.
The list of infostealers continues to develop with the creation of more sophisticated software. In March 2022, Meta Stealer—a new infostealer very similar to RedLine, but harder to detect by anti-virus software—made its appearance on the dark web.
Another example is Rhadamanthys infostealer, which was launched in August 2022, and poses a particular threat to businesses because of its amplified ability to access corporate networks. Like other infostealers, it can access information and logins from a variety of different platforms. It targets banking information as well as communication applications such as Outlook and Slack amongst other applications. But the biggest concern is that it has a very low anti-virus detection rate. Rhadamanthys infostealer has the capacity to hack into multi-factor-authentication (MFA) apps, such as Authenticator, EOS Authenticator and others, and gain access to the two-factor authentication (2FA) codes generated in these applications to login into secure accounts. In addition, Rhadamanthys software can avoid the need to acquire 2FA codes altogether by changing a hacked computer’s settings in its control panel, allowing the transfer of cookies generated by these 2FA applications to a bespoke browser.
Bot nets and Bot markets
After a hacker has successfully installed infostealer malware onto a computer, the malware will start to extract account login details. All of this is then saved into a “bot”, which is a program that can autonomously gather data from an infected computer.
Instead of having control over a single device, hackers will generally control a network of devices, called a “botnet”, which allows the hacker to infiltrate thousands of accounts at a time without detection.
Data extracted from bots are then categorised in separate files called bot logs, which hackers price and sell on bot markets.
The three most known bot markets include 2easy, Genesis and the Russian Market. Out of all of these, the Russian Market is the biggest, selling more than 3,870,000 logs from 225 countries. The Russian Market is particularly dangerous, since its dark web version is widely used, making hacking activities harder to track. Bot markets operate on blockchain platforms and allow transactions exclusively in cryptocurrencies, which decentralise transactions and make them harder to track.
Risks for governments, businesses and NGOs
Fundamentally, infostealers, botnets, bot logs and bot markets all provide hackers with means to bypass existing cybersecurity measures, such as MFA, Anti-money laundering (AML) activities, and more.
Politically, the developments in infostealer software and botnets are a significant addition to existing spyware and cyberwarfare technology. According to the UK national Cyber Security Centre (NCSC), the Sandworm group (a group of hackers from Russia’s foreign intelligence agency (GRU), known alternatively as Unit 74455), has waged several high profile cyber-attacks in Eastern Europe. Notable attack include the Ukraine power grid hack in 2015, where more than 230,000 residents experienced a blackout, and the Georgia cyber attacks of 2019, involving the large scale hacks of websites across the country, including government, NGO, and media websites. The Sandworm group has also begun using infostealers and botnets to conduct cyber-espionage and cyber attacks. The US brought down VPNFilter, a botnet attributed to the Sandworm group which mainly targeted Ukrainian hosts, in May 2018 with intelligence-collection and destructive cyber attack operations. In 2019, a successor to VPNFilter, called Cyclops Blink emerged, which security researchers believe was capable of collecting intelligence, conducting espionage, and launching denial-of-service (DoS) attacks to make devices inoperable.
The theft of login details sold on bot markets also poses a huge national security and economic risk. The Colonial Pipeline Network hack in May 2021, which highly disrupted energy supply chains in Eastern US states, provides an example of the severe risk associated with the sale of logins on bot markets. DarkSide, the group behind the attack, used a login to the Pipeline’s VPN network—sold on a bot market—to steal 100 GB of data, compromising the company’s billing and accounting system. To recover its data, Colonial Pipeline had to pay 75 bitcoin (approximately USD 5 million at the time of payment). Hackers tend to prefer Bitcoin payments, as it is the most stable cryptocurrency, and its decentralised natures makes it harder to trace for financial authorities.
While DarkSide declared they were solely after ransom and did not intend to cause social chaos, the incident illustrates existing capabilities that could be utilised in politically-motivated cyberattacks. It is also worth noting that since the Colonial Pipeline attack, the FBI recovered the amount paid in ransom by tracking the company’s payment to a cryptocurrency wallet used by DarkSide. The FBI was able to access the public ledger of the bitcoin traded, which stores all transaction history, to track down a wallet that had been used by the hacker group. Such ledger recoveries, which can be traced back to the Silk Road crackdown, has incited cybercriminals to use hyper-private coins such as Zcash and Monero, which hide all previous transaction details, making it more difficult for authorities to restore ransomware payments.
Politically-motivated cyber attacks are an increasing trend targeting governments, NGOs, universities and media outlets. RedAlpha, a group of hackers likely linked to the Chinese Communist Party (CCP), has conducted multi-year cyber-espionage operations on organisations deemed to clash with the CCP's political interests, such as the Taiwan’s ruling Democratic Progressive Party, Amnesty International, the International Federation for Human Rights, and Radio Free Asia. So far, RedAlpha has infiltrated its targets through software that mimics organisation login pages, tricking users into providing their login details. The group has also benefited from organisations still not adopting MFA. But as governments, NGOs, and others move on to more robust security measures, it is likely that the technologies described in this article (infostealers, botnets, bot logs and bot markets) will continue to facilitate politically motivated cyberattacks.
A final point of concern is specific to the propagation of bot markets. With increasing public legislation and self-regulation of social media giants following the Cambridge Analytica Scandal in 2016, the acquisition of personal data for political means has become harder. With social media data becoming trickier to harvest for political usage, there is a risk that political campaign officers could move to bot markets to illegally acquire information on citizens’ political preferences. Politicians wishing to sway public votes in their favour, or oppressive political regimes seeking greater surveillance over their population, may seek out such data.
At the time of writing, no known instances of such usage of bot markets has been reported. However, the world of political campaigning is not a stranger to the use of bot technology for political manipulation. Political bots, automated social media accounts which are programmed to act like real people and post comments or share posts to influence public political opinion, have been used in the run-up to presidential elections in the UK, the US, Argentina, Iran, Bahrain, China and more. With the increasing usage of bots in political manipulation activities, one can’t completely rule out the future use of other bot technology, such as bot markets, for political ends.