How the Government Hacks You, Chapter 6: Government Botnets

Some Examples of Government Botnets

One of the issues with cyberwarfare is that governments rarely claim ‘credit’ for the attacks. To do so would be a potential financial liability (in the form of sanctions, for example), and confirmation of their resources and capabilities. So the included examples will only highlight accomplishments directly in line with the military and espionage goals of the country in question. There are hundreds more attacks that might be funded or otherwise ‘encouraged’ by governments, but they will not be discussed here because there’s no smoking gun.

The Russian government is one of the biggest users of botnets in the world. In fact, they openly use terms like ‘cyber war’ and flex their virtual might in online demonstrations of power. However specific botnet use is reserved for special targets, such as Estonia.

In 2007, Russia used a botnet to launch a massive DDoS attack on critical government and financial organizations. This was one of the cases where one or more government or government-sponsored groups took credit for the attack. A former government aide was one possibility as the key orchestrator, though a Kremlin-funded pro-youth group also claimed responsibility. Experts believe that, if either claims are true, they’re just a fraction of the entire story behind the government’s involvement.

The Russian government’s attack on the 2014 Ukrainian presidential election ended with a rare slip-up that unmasked them as the attacker. After using both malware and a massive DDoS attack in an attempt to change the outcome of the election, Russia instructed its media to broadcast a web page that claimed that the far-right candidate had won. However, that fake web page was caught and removed from the election board’s servers before anyone in the public or media could have possibly seen it! By feeding the exact same fake ‘election results’ page to their media, the Russian government effectively admitted that they were the orchestrators.

China has a dedicated ‘network warfare’ division that operates as part of its army, committing between 50,000 and 100,000 units to the task of cyber warfare. Normally, they use far more subtle and sophisticated approaches in their actual hacks, but as either a distraction, a demonstration, or a precursor to other attacks, they are quite adept at using botnets. The 2008 cyber attacks against India’s infrastructure and government were orchestrated by this division. Botnets coordinated DDoS attacks but may have also been involved in calculation exercises such as hash analysis and other password-cracking techniques.

North Korea loves to use botnets to ‘recruit’ home computers and dedicated servers for their future cyber attacks. Their two main government hacking groups are simply called ‘Lab 110‘ and ‘Unit 121’. They perpetrated both the Sony Pictures attack in 2014 and the Wannacry attacks in 2017. The scope of the botnet that they built was so massive, that the U.S. FBI and Air Force had to contact victims and help them to disinfect their systems, not wanting them to be used in future attacks by North Korea. But there were impressive levels of individual sophistication in use as well, not just the brute force of the masses. Tailored spear phishing messages were sent to Sony Pictures employees to get malware on the inside, creating a conduit from which the data could be exfiltrated.

Of course, the good old U.S.A. wouldn’t want to be left out of the botnet race. In fact, the NSA has developed programs that specifically take over botnets that were built by hacking groups. The initiative is called ‘DEFIANTWARRIOR’. As unsubtle as that may sound, the results are anything but crude. U.S.-based infected systems are directed to the FBI so that the owners can be contacted and their assets cleaned up. Outside systems, just about anything on foreign soil, become nodes of a greater botnet. Because they seemingly have been infected by commercial hacker groups, they carry with them a measure of autonomy and anonymity that the NSA wouldn’t have with official government assets. Consider their hijacked botnets as ‘throwaway’ nodes, to be used for spying activities or one-time cyber attacks.

Speaking of the FBI, they’re in on the action as well. They have, in the past, received court orders allowing them to take over botnet assets. In the case linked, it happens to be a Russian botnet, but their mandate doesn’t limit them to botnets created by external entities. The parameters of their warrants allow them to take the computing assets of both allied and domestic botnets as well. But wait, isn’t that a 4th Amendment violation in the U.S.? The answer is ‘it depends’. As it turns out, reasonable expectation and intent have a lot to do with what’s legal and not legal as far as search and seizure. This applies to all government entities in the U.S.A., ranging from police to federal organizations. In fact, state-level organizations might be even more limited than the federal government, as there’s an extra set of laws they need to abide by at the more local level. Who knew?

Botnet law in the U.S. is a complete mess right now. Measures range from ineffective to completely overstepping property and privacy laws from the past. In short: The legal and practical aspects of botnet handling show no signs of clearing up in the near future.

With a broad overview of the players and their methods, let’s discuss the uses of botnets in government spying operations.

How Government Botnets Are Used

Governments use botnets in much the same way that other hacker groups use them. Only the goals are different… most of the time. Yes, some governments are shameless enough to ask for ransoms to help fund their operations. However, the majority are using these resources for intelligence purposes.

With that in mind, here are the main ways that botnets are utilized by governments:

DDoS: Distributed denial of service is still the number one way to utilize botnets, even by government entities. Look at these ‘zombified’ nodes in the same way a government would look at any temporary resource: They’re cheap, disposable, and their accountability is low. It doesn’t matter if they’re discovered and ‘burned’ once the operation is over. They’ve served their purpose.

DDoS attacks are much harder to deal with when the sources are widely distributed, and the contents of the packets are well-randomized and legitimate looking. So a multi-country distribution from all sorts of different systems is desirable. The first step in filtering a DDoS attack is to fingerprint the packets. The more diversity those packets have, the harder it is to come up with a sane way to block them without blocking legitimate packets as well. So the wide net that is cast by your typical botnet does the job much better than resources purchased centrally for the attack (Such as AWS, Google Cloud, etc.).

Brute Force: Utilizing the combined processing power of distributed computing resources in order to brute force an unknown quantity is nothing new. In the legitimate world, we’ve seen extra CPU cycles dedicated to things like solving protein folding and habitable planet searches.

But in the world of espionage and hacking, botnets can be used to break codes. That might mean using a distributed tool that can coordinate attempts on various types of hashes, like MD4, MD5, SHA, etc. The result is thousands of systems trying to break a cipher, all coordinated by a single master. And given that these resources are so widely distributed and not directly on the government payroll, it’s almost impossible to accuse any particular government of abusing these hacking efforts, assuming they’re being careful.

Misdirected Attack Source: This one is fairly simple. By using a remote desktop or login, and in turn, using that system to remote into another system, and so on, the source of a hack becomes more and more difficult to trace. Particularly if the governments of the various host countries don’t exactly get along. Each machine in the chain has its logs erased as well, making the exact nature of the activity more difficult to pinpoint. It isn’t impossible to trace the source of such an attack if everyone involved cooperates. But it’s a time-consuming process that involves technical prowess and diplomacy. Consider how the Tor browser operates, only knowing the ingress and egress nodes of a packet and nothing further up or down the line, and you’ll have some idea of how this can work.

Service Spoofing: By pretending to offer a service such as DNS, routing, or even posing as a reliable clock, botnets can take advantage of people who mistakenly trust them to actually provide those services. In reality, these nodes of a botnet are performing mass information gathering, collecting as much network-identifiable information as possible. This might be to fingerprint future victims, or to establish a legitimate activity that they can later switch to something far less ‘helpful’. Seeding the Internet with false DNS and routing information can be advantageous if done at exactly the right time and supported by other hacking efforts.

Propaganda and Counterintelligence: Spam is one of the most common uses of botnets, so why shouldn’t governments get in on that action? Using nodes as mail exchanges, clients, and auto-responders is one way to spread rumors and malware throughout the world. The same sort of operation can be set up on social media, using distributed accounts. Rarely, these kinds of nodes can serve the same purpose as a ‘numbers station’, carrying encrypted information for those who know exactly how to look at a particular website or message.

Storage and Data Plants: Storing fragments of a message across a botnet, or simply storing entire encrypted files, is certainly a possibility. Illicit botnet storage has been around, at least somewhat commonly, for a decade. Also, creating a patsy by loading up a compromised system with incriminating evidence is within the realm of possibility, before disassembling that fragment of the botnet and removing all traces of tampering from the system.

Crypto Mining: Like any other botnet, idle time is the enemy. If the processors and GPUs are otherwise idle, the key is to make profitable use of those available cycles. With a botnet of thousands of nodes, a government agency could build up ‘off the books’ funding for various secret projects. This currency would be damn near untraceable. Intelligence agencies have invited experts in the past to talk about the process. So it’s not beyond the realm of possibility.

The State of Botnets in the 2020s

The hottest thing that was going on in early October of 2021 was the infamous Meris botnet. Powered by Internet of Things (IoT) devices, Meris might have been the fastest-growing botnet the world had ever seen. Though currently, Meris nodes are largely in private hands, it would be rare for world governments to ignore such a successful new technology. But at this point, there’s no evidence to say that any major government is involved.

Also in the early 2020s, Emotet was taken down by Europol and U.S. police forces with multiple government cooperation. The highly successful botnet had a setback as eight countries banded together to take out a large portion of its operational capacity. Again, unless it’s a cover-up by one or more of these countries, it’s unlikely that any major governments were involved in the running of this botnet.

As of 2023, the United States, China, and Russia were the number one, two, and three countries for botnet hosting. Hosting in EU countries is falling, though nearly a dozen nations are still sitting in the top 20 for geolocation.

Tencent and Alibaba are the number one and two registrars for domain names used in conjunction with the scams that these botnets inevitably bring. But the little companies that have much more lax security and automation add up, and North America is the source of around 60% of the most abused domain registrars in the world.

Missed the last chapter? Read it here.