Millions of people living in the eastern U.S. woke up on a Friday morning in October to find large parts of the internet not working. No Twitter. No Netflix. No Spotify. The issue, as we later learned, was an ominous new kind of cyber attack, where “smart” household devices were marshalled into a zombie army capable of choking critical infrastructure of the web. It was the biggest distributed denial of service (DDoS) attack in history.
We were also told that given the ubiquity of these internet-connected devices — web cameras and “smart” household items of all sorts, largely made in China and shipped to the States by the boatload — this type of attack would only grow more frequent and worse.
Since then, the world’s leading cybersecurity experts have been following clues to track who is responsible. They’ve come to a disturbing conclusion: the biggest DDoS attack in history was probably not caused by a state-sponsored actor, organized crime, terror groups, or anyone with a geopolitical or financial motive. So who’s left?
“Kids,” Mikko Hypponen, chief research officer with security firm F-Secure said. “Kids who have the capability and don’t know what to do with it.”
“The source code that was released could have been written by a high school student, a smart high school student, but a high school student nonetheless,” security expert Rob Graham said after examining the malware used in the attacks. “It wasn’t particularly sophisticated.”
The attack was carried out using the Mirai malware — a malicious piece of software designed to hack hardware — that had been posted on a hacking forum for anyone to use. The hackers were able to infect millions of smart devices to work together as an army of zombie computers — known as a botnet — capable of firing huge amounts of internet traffic at servers, which overwhelmed them and knocked them offline.
The target this time was Dyn, one of the world’s leading Domain Name System (DNS) providers. These companies operate as the phonebooks of the internet, connecting users to the servers hosting the websites they visit. Despite the critical nature of Dyn’s infrastructure, the attack was so huge — reportedly 1.2 terabits per second — the company was unable to prevent its customers from being affected.
What set this attack apart from other DDoS attacks is the apparent ease with which it was carried out and the critical importance of the service which it knocked offline.
Dyn said it cannot reveal any details about the source of the attack or the identity of the attackers because of an ongoing law enforcement investigation.
But Flashpoint, a security company which has been monitoring this attack from the start, agreed with Hypponen and Graham.
“The technical and social indicators of this attack align more closely with attacks from the Hackforums community than the other type of actors that may be involved, such as higher-tier criminal actors, hacktivists, nation-states, and terrorist groups,” the director and two other employees wrote on their site.
Hackforums is an online community where hackers chat, share tools, and offer their services in exchange for money. It was here that a hacker known as Anna Senpai posted the source code to the malware used to compromise hundreds of thousands of “Internet of Things” (IoT) devices across the globe.
As a demonstration of just how powerful these attacks can be, security researcher Kevin Beaumont revealed that the people behind these botnets have been attempting to knock an entire country offline this week.
— Kevin Beaumont (@GossiTheDog) November 3, 2016
Liberia has a single submarine cable connecting it to the internet, and one of the botnets created with the Mirai malware has been consistently flooding it with traffic to repeatedly knock it offline for short periods of time.
Beaumont calls the group behind the Liberia attack Shadow Kills, in reference to a mocking message the attackers sent to the researcher.
While financial gain can motivate script kiddies, typically selling access to their botnets, just as often, they execute attacks such as these to show off or cause disruption and chaos for sport.
That happened two years ago, when a group of hackers called Lizard Squad attacked the PlayStation Network and Xbox Live, causing a lot of problems for Sony and Microsoft by knocking the networks offline for long periods of time.
Just this week in the U.K., a teenager who, at just 15, created a tool to easily carry out DDoS attacks on any website, pled guilty after the police claimed the tool had been used in 1.7 million attacks.
While security experts may call the method of attack on Dyn unsophisticated, the company holds a different view. Chief strategy officer Kyle York said the attack was “complicated, multi-layered, unprecedented, and more distributed than your average attack.”
In fact, he called that Friday “the proudest day in the company’s history” because of the way the engineers mitigated an attack of this size.
The success of the attack also took many in the industry by surprise. “I think it is remarkable that the attack was so successful against Dyn, considering the track record the company has,” Hypponen said.
Aside from the outcome, the fact that the attack leveraged the power of millions of unsecured devices connected directly to the internet — products like CCTV cameras, routers, and DVRs — is part of a worrying trend.
In September a similar, but separate, army of zombie devices created by the Mirai malware attacked the website of Brian Krebs, an investigative journalist. Since then, others have used the source code multiple times to create their own botnets, some of which were used in the attack on Dyn.
In the wake of the high-profile attack on Krebs, multiple members of Hackforums offered access to Mirai botnets for as little as $3 a time. Anyone who hires the botnet can name their target, and the hacker will turn his zombie army in that direction, with the aim of knocking the website offline for a period of time.
Hackforums administrator Jesse LaBrocca, worried about the negative attention the attack brought on his website, shut down the section selling those services.
“Unfortunately once again the few ruin it for the many,” LaBrocca wrote.
The problem facing those who control the backbone of the internet is that if a group of script kiddies can knock large portions of the web offline with such a simple attack, what’s next?
Unfortunately, there’s no easy fix for the problem. The vulnerable devices contain little-to-no security, often using default usernames and passwords hardwired at the factory. And the companies that make them — mostly based in China — have little incentive to make them more secure because of a lack of regulation forcing them to do so. Lastly, consumers, typically concerned with price, design, and color when buying a new product, don’t care enough about security to ask the salesman if their shiny new fridge is secure — even though the device may connect to their wifi and pose a significant security risk.
Just this week, another major flaw in IoT devices was revealed when researchers showed how a vulnerability in wireless technology used in smart devices like lights, switches, locks, and thermostats could be exploited to take control of those devices.
“This means that the vendors building these things invest the minimum amount of money possible because it is not a selling point, and this is unlikely to change,” Hypponen said.
With millions of these devices connected to the internet every week, the problem will only grow. And while it may make for lots of fun for script kiddies, for the rest of us, it’s very worrying.