Russian cyber criminal pleads guilty to running IPStorm botnet

Sergey Manikin, a joint Moldovan-Russian national who ran a botnet proxy network known as IPStorm that compromised computer systems all over the world, has pled guilty to three counts of violating US fraud laws against knowingly causing the transmission of a program to intentionally cause damage without authorisation to protected computers.

IPStorm, which has now been dismantled by the FBI and partners from the Dominican Republic and Spain, victimised systems by coopting them into a botnet that ran them as proxies for people seeking to mask their internet activity.

Manikin sold illegitimate access to his botnet through two websites, charging hundreds of dollars a month to route traffic across thousands of infected machines. He boasted of over 23,000 anonymous users, and has admitted he made more than $500,000 from his customers.

“This investigation shows that we will use every lawful tool at our disposal to disrupt cybercriminals, regardless of their location,” said US attorney Stephen Muldrow. “This case serves as a warning that the reach of the law is long, and criminals anywhere who use computers to commit crimes may end up facing the consequences of their actions in places they did not anticipate.”

“It is no secret that in present times, much criminal activity is conducted or enabled through cybernetic means. Cyber criminals seek to remain anonymous and derive a sense of security because they hide behind keyboards, often thousands of miles away from their victims,” said Joseph González, special agent in charge of the FBI’s Field Office in San Juan, Puerto Rico.

“The FBI’s cyber mission has been to impose risk and consequences on our adversaries, ensuring cyberspace is no safe space for criminal activity. This case is one example of how we are doing just that, and I’d like to thank the DOJ’s Computer Crime and Intellectual Property Section, the US Attorney’s Office for the District of Puerto Rico, and the FBI San Juan Cyber Team for their meticulous and relentless work in this case.”

The users of IPStorm themselves were not targeted in the law enforcement investigation, the scope of which was limited to disabling Manikin’s malicious infrastructure.

IPStorm – or Interplanetary Storm – first came to attention in the spring of 2019 when researchers found a new Golang malware targeting Windows, and later Linux, by abusing the legitimate peer-to-peer Interplanetary File System (IPFS) network to obscure its traffic and make it harder to detect.

It most likely arrived on its victims’ devices via secure shell (SSH) brute force attacks. Once infected, the malware essentially squatted on IPFS and exploited it to receive execute arbitrary PowerShell commands from the botnet controller.

In theory, this means Manikin could have caused much more damage than he did by selling access to cyber criminal gangs, but in practice IPStorm’s activity seems to have been limited to anonymised browsing services.

Alexandru Catalin Cosoi, senior director of Bitdefender’s investigation and forensics unit, which first started tracking IPStorm in 2020, was among a number of private sector cyber researchers to have provided support to the law enforcement operation against Manikin.

“The Interplanetary Storm botnet was complex and used to power various cyber criminal activities by renting it as a proxy as a service system over infected IoT devices,” said Cosoi.

“Our initial research back in 2020 uncovered valuable clues to the culprit behind its operation, and we are extremely pleased it helped lead to arrests. This investigation is another primary example of law enforcement and the private cyber security sector working together to shut down illegal online activities and bring those responsible to justice.”