The discovery that millions of digital home devices are secretly powering dangerous cyberattacks began with a phone call more than two years ago from a top Microsoft security executive to his counterpart at Comcast.
The tech giant was investigating a digital break-in the company had linked to one of the most capable cybersecurity foes in the world and needed information on six IP addresses, the internet’s equivalent of a phone number.
Following that trail, Comcast investigators discovered that Midnight Blizzard, a hacking group linked to Russia’s Foreign Intelligence Service, had managed to access emails belonging to Microsoft’s senior leadership by using consumer internet connections to mask nefarious traffic.
What Comcast found has rocked the cybersecurity world and taken years to unravel: More low-cost consumer devices have shipped into the U.S. with backdoor software pre-installed, and this software is also being sneaked into mobile apps and copyright-free illegal copies of videogames.
The software has turned tens of millions of consumer devices into criminal cloud-computing networks. These networks aren’t only used for fraud, they have also been adopted by government-backed hackers looking to hide their connections to countries such as Russia, China, Iran and North Korea.
Called residential proxy networks, these services let anyone who pays steer their internet traffic through an outside address. It’s like an Airbnb for internet access. Not all users of these networks are criminals, but government and industry officials say residential proxy networks have ballooned in scale and risk in recent years. The Digital Citizens Alliance, a digital advocacy group, estimates that there are 20 million of these backdoors in the U.S. alone.
“This is a bigger problem because of the sheer numbers,” said Noopur Davis, Comcast’s head of information security. It is one of the most worrying problems the telecommunications company has seen, she said.
Residential proxy networks are now a go-to resource for nation-state hackers, who use them as a conduit to U.S. targets, said Brett Leatherman, assistant director of the Federal Bureau of Investigation’s Cyber Division. “If the actors can get U.S.-based IP space, they have a leg up in being able to target government agencies, industry, and others,” he said.
In April, government agencies from nine countries, including the U.S., U.K., Germany and Japan, warned that state-sponsored Chinese hackers were using networks of hacked consumer devices to conduct their operations, “making it challenging to attribute malicious activity,” according to a joint statement.
China’s state-sponsored hackers used to cover their tracks by hacking the consumer devices themselves, but that has changed, Leatherman said.
Comcast’s investigation began in February 2024. It started with a phone call made to Davis, from her counterpart at Microsoft, Igor Tsyganskiy, who wanted to know more about the six Comcast IP addresses.
Comcast’s investigators eventually discovered that the IP addresses Tsyganskiy had handed over belonged to customers who were on a residential proxy network run by a Chinese provider named IPidea, Davis said.
IPidea has used a number of sneaky methods to get its software installed on consumer devices, including having its software preloaded on video streaming boxes and digital picture frames. The company then rents out access where its software is installed so that its customers can bounce their internet traffic through a different home network.
It could let a user in Moscow bounce through a home network in Bellingham, Wash., for example. And that’s the kind of capability that nation-state hackers like Midnight Blizzard rely on for their attacks to work.
As Comcast engineers pulled on the threads, they realized that these six IP addresses were part of a massive network of about 750,000 IP addresses located in homes and businesses.
Comcast engineers had known that internet-connected devices were vulnerable to cyberattacks, but here was something different. It was a back door into America, operating at an industrial scale.
By September, Comcast had discovered that users of these residential proxy networks were able to gain access to networks—even those running firewalls—and then jump from one device to another.
For a home user, that meant that an infected video-streaming device could be used to hack into someone’s mobile phone. If that phone found its way to a bring-your-own-device corporate network, this could put confidential information at risk.
“It was such a step change from any threat we’d seen before,” said Comcast’s Davis.
In January, Google dismantled IPidea’s infrastructure, using a U.S. court order. The residential proxy network was back in operation within two weeks. It likely picked up more residential proxy devices from a new provider, Comcast said.
Modern hackers increasingly use these networks to steal the login credentials their victims use for cloud-computing services, said Adam Meyers, a senior vice president with the cybersecurity firm CrowdStrike. “Identity is their bread and butter, and one of the infrastructure pieces that they’re dependent on is residential proxies,” he said.
Recently, Midnight Blizzard has begun using residential proxy networks for a new type of identity-based attack that is extremely difficult to detect, according to Volexity, a cybersecurity investigation firm.
Over the past year, Russian hackers have stolen Microsoft 365 credentials from victims as part of a sneaky and extremely hard-to-stop technique that involves bogus Microsoft Teams meetings, Volexity said.
Microsoft’s servers would ring alarm bells if the Russians tried to log in to victim accounts from overseas. Instead, they use residential proxy networks to log in from U.S. home networks, said Steven Adair, Volexity’s president.
Volexity’s researchers have seen this technique compromise organizations in government, military, foreign affairs and even the news media, Adair said. “They’re no longer trying to phish your password,” he said. “It’s hard to detect and it’s hard to stop.”
Write to Robert McMillan at robert.mcmillan@wsj.com
