Google’s disruption rips millions out of devices out of malicious network

Millions of devices used as proxies by cybercriminals, espionage groups and data thieves have been removed from circulation following Google’s disruption of IPIDEA, a China-based residential proxy network. The reduction in available proxy devices came after Google’s Threat Intelligence Group used legal action and intelligence sharing to target the company’s domain infrastructure, Google said in a blog post Wednesday. 

Google’s action, aided by Cloudflare, Lumen’s Black Lotus Labs and Spur, impaired some of IPIDEA’s proxy infrastructure, but not all of it. The coordinated strikes against malicious infrastructure underscore the back-and-forth struggle threat hunters confront when they take out pieces of cybercriminals’ vast and growing infrastructure. 

Initial data indicates IPIDEA’s proxy network was cut by about 40%.

“We have still seen around 5 million distinct bots communicating with the IPIDEA command and control servers, so as of now they are still able to operate with a large volume of proxies,” Chris Formosa, senior lead information security engineer at Lumen Technologies’ Black Lotus Labs, told CyberScoop Thursday.

Lumen was tracking a daily average of about 8.5 million proxies connecting to IPIDEA’s servers before some of its domains were taken offline this week. “The true population was likely closer to 10-11 million, but we could only see 8.5 million of them with our visibility,” Formosa said.

Google researchers discovered a cluster of seemingly independent proxy and virtual private network brands controlled by IPIDEA. Google found several domains also owned by IPIDEA supporting software development kits for residential proxies embedded into existing applications.

Developers who add these SDKs to their apps are paid by IPIDEA, typically on a per-download basis. “These SDKs are the key to any residential proxy network—the software they get embedded into provides the network operators with the millions of devices they need to maintain a healthy residential proxy network,” Google said in the report.

Residential proxy networks can serve a legitimate purpose, but researchers have been warning that unethical or outright criminal operators are abusing these networks to build and support botnets, cybercrime campaigns, espionage and other malicious activity.

“The residential proxy industry appears to be rapidly expanding, and GTIG’s research indicates that the vast majority of its growth is fueled by malicious use,” Charley Snyder, senior manager at GTIG, told CyberScoop. “GTIG found that these proxies are overwhelmingly misused by bad actors.”

Researchers said many service providers are packaging proxy malware in software that users are downloading, and unwittingly allowing proxy networks to hijack consumer bandwidth to obscure cybercrime.

Earlier this month, Google said it observed more than 550 distinct threat groups, including some from China, North Korea, Iran and Russia, using IP addresses tracked as IPIDEA exit notes during a seven-day period. These threat groups accessed victim cloud environments, on-premises infrastructure and initiated password-spray attacks, according to Google.

Security teams and cyber authorities are placing more attention on the systems and scaffolding that support cybercrime, effectively trying to squeeze resources and place additional pressure on their activities.

“By targeting the tools criminals use rather than just the criminals themselves, defenders can impose significant costs on the ecosystem in a way that can’t easily or quickly be regenerated,” Snyder said. 

Google’s actions severed the command-and-control links between operators and millions of devices, and took down storefronts, negating the investments IPIDEA made to gain brand awareness and traction, he added. 

While Google took a big bite out of IPIDEA’s infrastructure, the fight against the company and others continues. 

“This is a very complex ecosystem with dozens, if not hundreds, of brands and shell entities,” Snyder said. “While our disruption is significant, this ecosystem is built on anonymity and shared resources. They’ve survived takedowns before, so we are pleased by the progress we’ve made but know there is more to do.”