At the end of last year, the FBI filed charges against the creators of Mirai, the largest DDoS attack of its kind when it struck the DNS provider, Dyn in October 2016 and took down the sites for some of the largest companies in the U.S., including Twitter, CNN and Netflix for a substantial portion of the day.
As the U.S. presidential election was occurring the following month, fears grew that a nation state was behind the attack. Ultimately, the three men charged were all U.S. born: Paras Jha, 21, a Rutgers college student from New Jersey; Josiah White, 20, from Washington, Pennsylvania and Dalton Norman, 21, from Metairie, Louisana.
The FBI’s investigation into who was behind the huge botnet took them into the underground DDoS market and once they had solved the case, led them to realize that the perpetrators had already started a new scheme – inventing a business model for digital crime that was previously unknown, highlighting even greater botnet threats on the horizon.
When Mirai came into the public eye, FBI special agent Elliott Peterson was working with a multinational investigative team on a case involving two teens running a DDoS-for-hire service called vDOS. They were using the massive vDOS botnet to offer a booter service, aimed at helping gamers knock rivals offline. Its customers paid small amounts, such as $5 to $50, to rent small-scale denial-of-service attacks via an easy-to-use web platform.
Peterson and his fellow investigators began to hear rumors about a new botnet, which would eventually dwarf vDoS in size. “From the initial attacks, we realized this was something very different from your normal DDoS,” Doug Klein, Peterson’s investigative partner, told Wired. The hackers on Mirai were crossing the 100,000 bots threshold, which others had been unable to do. It turned out that the attackers themselves were later surprised at the force of the Mirai botnet, which infected almost 65,000 devices in its initial twenty hours, and ended up at its peak enslaving up to 600,000 devices from around the world. “Mirai was an insane amount of firepower,” Peterson says, which “was the first botnet I’ve seen that hit that existential level”, of a threat to the Internet itself.
Prior to the DDoS attack against Dyn, there were two others using the Mirai botnet: the first was a set of crushing DDoS attacks against French hosting provider OVH in September 2016, which hit OVH at around 901 gigibits per second (until that point, a large DDoS attack was thought to be 10-20 Gbps); and the second took place days later against a high-profile technology target: security reporter Brian Krebs. Krebs’ website, Krebs on Security, was knocked offline for four days with an attack that maxed at 623 Gbps. Krebs’ long-time DDoS mitigation partner, Akamai, said it was dropping its defense of his site because it was so expensive. The Krebs incident worried the FBI as it seemed likely it was in retribution for an article Krebs had published several days earlier about a different DDoS-mitigation firm that he thought were engaged in disreputable practices. “This is strange development—a journalist being silenced because someone has figured out a tool powerful enough to silence him,” Peterson says. “That was worrisome.”
Network companies such as Akamai assisted in the investigation, building online honeypots and spoofing hackable devices to see how infected “zombie” devices communicated with Mirai’s C&C servers. As Peterson and his team studied the attacks, they noticed that various of the Mirai attacks seemed to target gaming servers, in particular Minecraft.
Around 55 million people each month play Minecraft and there as many as one million online at any time. As Peterson and Klein examined the economy behind Minecraft, reviewing financial records and interviewing hosts of its servers, they began to see how financially lucrative a popular, well-run Minecraft server could be, leading to people making up to $100,000 a month. These kinds of figures were spawning a cottage industry of DDoS-for-hire services aimed at competitors’ servers, in order to woo players away from the competition because of slow service; along with DDoS mitigation services specifically aimed at protecting Minecraft servers. Klein says the digital arms race in DDoS is absolutely tied to Minecraft.
Moreover, the initial Mirai attack against OVH was because it offered Minecraft DDoS-mitigation tools to key Minecraft servers. “They just got greedy—they thought, ‘If we can knock off our competitors, we can corner the market on both servers and mitigation,’” FBI supervisor special agent Bill Walton says.
Once the FBI had made the connection to Minecraft, they began to see links between it and Mirai everywhere. Following the OVH attacks, the botnet had hit ProxyPipe.com, a San Francisco based company, which specializes in DDoS mitigation for Minecraft servers.
“Mirai was originally developed to help them corner the Minecraft market, but then they realized what a powerful tool they built,” Walton says. “Then it just became a challenge for them to make it as large as possible.”
On September 30, 2016, the maker of Mirai posted the malware’s sourcecode to Hack Forum with the intention to deflect suspicion away from himself if he were caught. It led to many Mirai copycat attacks, including Dyn, the biggest of them all in October 2016. As the attacks grew in number, the FBI worked with private-industry researchers to watch DDoS attacks as they happened, and track where the hijacked traffic was directed; which helped them and private industry mitigate it in real time. The post-Mirai attacks grew in scale and number, putting huge amounts of pressure on the FBI team working the case.
Elliot Peterson transferred back to his home state Alaska two years ago, where he joined the FBI’s smallest cyber squad – four agents, headed up by Walton, a longtime Russian counterintelligence agent, partnering with Klein, a former UNIX systems administrator. The team specializes in DDoS attacks and botnets; however, before they could solve the Mirai case as an international one, they first had to prove that Mirai existed within Alaska. To establish the grounds for a criminal case, the squad located infected IoT devices with IP addresses across Alaska, then issued subpoenas to the state’s main telecom company, GCI, to get a name and physical location. Agents then interviewed the owners of the devices to establish that they didn’t know they had been taken over by the botnet. They seized some of the devices, plugged them back in and waited for them to be re-infected by Mirai. Once this happened, the team traced the botnet’s links back to the main Mirai control server; with the help of court orders, they were then able to track down associated email addresses and cell phone numbers used for those accounts.
The FBI began to zero in on particular suspects by the end of 2016. Agents dubbed the eventual culprits the “Cub Scout Pack”. Brian Krebs publicly accused Jha and White in January 2017. Jha’s family initially proclaimed his innocence; however, in December 2017, he, White and Norman pleaded guilty in the Anchorage court to conspiracy to violate the Computer Fraud and Abuse Act, the government’s main criminal charge for cybercrime. The three defendants await sentencing in Alaska and New Jersey, but the Mirai plague, which they unleashed lives on.