Russian robots have infected millions of devices around the world, including San Diego

The Russia-based cybercrime organization that has hacked into millions of electronic devices around the world and sold its internet identities to other criminals for use in a joint law enforcement operation that spanned the United States, Europe and the United Kingdom has disrupted, the U.S. Attorney’s office in San Diego said Thursday.

The office said the target of the investigation, a botnet known as RSOCKS, was dismantled as a result.

The victims confirmed so far, including at least six in San Diego County, range from large public and private entities — including a university, hotel, television studio and electronics factory — to home businesses and individuals, according to investigators. None of them have been publicly identified.

The authorities did not announce any arrests and did not name the suspects associated with the operation. However, details of the investigation, which began in 2016, were laid out in an affidavit of a search warrant disclosed in San Diego federal court Thursday.

A botnet — a network of infected devices, or “bots,” working together, usually for malicious purposes — has hacked everything from smart garage door openers to routers to audio/video streaming devices to Android phones to computers. Then, RSOCKS stole each device’s unique Internet protocol, or IP address, and showed it to other cybercriminals, who used the identifiers to disguise their nefarious activities, according to investigators.

From RSOCKS online storefronts – which cater to English and Chinese speakers on various websites – cybercriminals can rent access to stolen proxy IP addresses for days, weeks, or months in time. A group of 2,000 criminal user agents might cost $30 per day, or $200 per day for 90,000, the search warrant states.

With their digital fingerprints now hidden, these criminals have committed a range of cyberattacks — from widespread attempts to gain access to accounts using stolen usernames and passwords to sending malicious emails to hack social media accounts, according to investigators.

The true scope of the criminal activity launched by the bots in the world by accessing the pool of passed IP addresses is unknown. On Thursday, authorities did not present any specific cases of cybercrime related to RSOCKS.

Undercover FBI agents in 2017 gained access to the RSOCKS system, which at the time was advertising to its clients about 325,000 stolen agents available worldwide, according to the search warrant. Within weeks, agents identified at least 75,000 uniquely compromised victim devices, with “many” located in San Diego County and other parts of Southern California.

Agents questioned 12 victims. Two of the victims told investigators that their ISPs had previously reported bot activity on their IP addresses. Several dealers said that they noticed performance issues with their devices but could not figure out why.

Three victims cooperated with the FBI by allowing agents to replace their hacked devices with computers controlled by law enforcement that can track bots. Investigators said RSOCKS quickly infected the three.

Agents were able to identify the use of RSOCKS for brute force attacks – a trial-and-error method that uses automated software to guess passwords and other user data – to initially gain access to victim machines. Then the bots maintained constant contact with the devices.

The web hosting for the same storefront has been returned to an Internet service provider based in West Palm Beach, Florida, according to the search warrant. It was not immediately clear that the company was involved in the investigation.

The US Attorney’s Office said the Justice Department’s investigation was aided by law enforcement agencies in Germany, the Netherlands and the United Kingdom, as well as Black Echo, a private sector cybersecurity firm.