Last month, three men pleaded guilty to creating the Mirai botnet, in which hundreds of thousands of connected digital video records, routers and cameras were used to launch a massive DDoS attack against the domain name services company, Dyn for an entire afternoon in October, 2016. It took down some of the busiest websites in the world, including Airbnb, Salesforce and The Financial Times, particularly disabling access for users in the US.
There were fears that a nation state was launching the attacks, but as the sentencing happened in the Alaskan courtroom last month, it became clear that the brains behind Mirai were a 21-year-old Rutgers college student from New Jersey, Paras Jha, and two of his college-age friends, Josiah White, 20, of Washington, Pennsylvania and Dalton Norman, 21, of Metairie, Louisana.
All three were charged with conspiracy to violate the Computer Fraud and Abuse Act by the US Department of Justice. The DoJ said the defendants had deliberately sought out vulnerabilities to allow them to take over the IoT devices to form a botnet in order to carry out the powerful DDoS attacks.
The defendants said they were initially just trying to gain an advantage in the computer game Minecraft, not trying to crash huge swathes of the Internet. However, as they realized the power of their DDoS abilities, their motivation shifted. According to court documents, the primary drive behind creating Mirai was to build “a weapon capable of initiating powerful denial-of-service attacks against business competitors and others against whom White and his coconspirators held grudges.” They began to challenge themselves to make the botnet as much as possible.
The defendants claimed to be surprised themselves by the strength of the botnet they created. “They didn’t realize the power they were unleashing,” FBI supervisory special agent Bill Walton told Wired. “These kids are super smart, but they didn’t do anything high level—they just had a good idea,” Walton said. “It’s the most successful IoT botnet we’ve ever seen—and a sign that computer crime isn’t just about desktops anymore.”
Researchers determined that Mirai infected almost 65,000 devices in its first 20 hours, doubling in size every 76 minutes, ending up having the capacity to build a sustained strength of between 200,000 – 300,000 infections. Mirai targeted devices in Southeast Asia and South America, in particular, Brazil, Colombia, Vietnam and China.
Jha and Norman also pleaded guilty to carrying out an ad fraud scheme, generating revenue by spoofing a click on a digital ad and infecting mainly US-based computer devices in the act, for a full year from December 2016. In addition, Jha pleaded guilty to attacking Rutgers University networks, launching multiple DDoS attacks against the main login portal, forcing it offline, between November 2014 and September 2016.
Furthermore, the DoJ said that following the initial attacks on Dyn last fall, Jha posted the source for Mirai online in a criminal forum, which allowed it to be widely propagated.
“We must guard against the threats posed by cybercriminals that can quickly weaponise technological developments to cause vast and varied types of harm,” said General John Cronan, acting assistant attorney general.
According to court documents, Mirai was particularly dangerous because it could target an entire range of IP addresses – not just a targeted website or server – meaning it could crush a company’s entire network. At the scale at which Mirai operated, nearly all traditional DDoS mitigiation techniques collapsed.