Let’s imagine, just for a moment, that you are a late adolescent, and, with two friends, developed one of the most powerful pieces of malware in recent memory. That code would go on to shut down a portion of the internet in the United States and knock offline almost an entire African country’s internet infrastructure while also knocking out internet services at a major university offline.
And then, let’s say you get caught. What do you think might happen? What kind of punishment might get meted out?
If you are familiar with the storyline, you have probably noticed that this broad outline is likely a reference to the Mirai botnet. But if you haven’t followed the aftermath of that cyberattack closely since it struck in late 2016, you may not have realized that the three creators of that malware received relatively light sentences except for the individual who decided to unleash a botnet against a university.
In this article, we take a renewed look at the IoT security landscape, while also investigating the repercussions of Mirai, arguably still the most famous IoT security attack to date.
1. Who Is Behind IoT-based Botnets
On one end of the spectrum, children and 20-somethings routinely launch IoT-based distributed denial of service attacks. On the other end of the spectrum are elite nation-state actors. And, sometimes, the former becomes the pipeline for the latter. (More on that later.)
“There is a little bit in between” those poles of kids and nation-states, said Sara Boddy director of F5 Labs. And, to be fair, script-kiddies probably are undeserving of the hacker moniker. The act of following a list of instructions on the internet to launch an attack, or merely using a DDoS-for-hire service doesn’t align with the use of the word “hack” to refer to solve “a tech problem in a different, presumably more creative way than what’s outlined in an instruction manual,” as The New Yorker put it. But, if nothing else, the fact that children are launching IoT-based DDoS attacks serves as a reminder of just how easy such attacks can be to carry out. In 2017, we wrote about a DDoS purveyor who was apparently 13 years old.
Mirai masterminds Paras Jha, Josiah White and Dalton Norman were somewhat older — between 18 and 20 years old when they developed the Mirai malware that would shut down portions of the internet in October 2016. At one point, the Mirai botnet infected hundreds of thousands of devices. One of the Mirai authors pasted its source code on Hackforums, which the FBI refers to as a “criminal forum.” Shortly after that, 30-year-old hacker Daniel Kaye used the code to launch an attack against a Liberian target. Much of the country’s internet infrastructure went offline as a result.
[IoT Security Summit is the conference where you learn to secure the full IoT stack, from cloud to the edge. Visit the website for more information.]
Kaye also is believed to have used the same botnet against German telco Deutsche Telekom, causing an outage affecting almost 1 million customers. While the details of Kaye’s technical proficiency are uncertain, the 19 year old seemed to do much of his damage by accident. For instance, when attempting to fuel botnet attacks by targeting 900,000 Deutsche Telekom routers, he knocked that many customers offline. And when targeting an African phone company, Kaye accidentally knocked much of Liberia’s internet offline, according to media accounts.
The Kaye example provides an example of how the decision to post the Mirai source code online helped democratize botnet attacks.
2. Elite Hackers Are Targeting IoT, Too
In August, Microsoft’s research division revealed its security response center uncovered a nation-state-based attack targeting IoT devices in several of its customers’ networks. The targeted devices in question were a VoIP phone, an office printer and a video decoder. According to Microsoft, the attacker wasn’t targeting those devices for his or her own sake, but “to gain initial access to corporate networks.”
But nation-states are building IoT-focused bots and are also compromising physical infrastructure to get “eyes and ears wherever they want,” Boddy said. “They could be friendly nation-states. Everybody has an interest in hearing what’s going on.”
In a similar vein, Politico reported earlier this month that cellphone surveillance devices known as “stingrays” were located near the White House, apparently installed by Israeli operatives.
At the other end of the spectrum are more-nefarious activities, such as a threat actor sabotaging routers and switches in the United States, or stealing trade secrets from factories or confidential information from military operations.
In terms of using IoT devices for reconnaissance, “all nations do it. We do it,” Boddy said. “The U.S. is actively compromising IoT devices around the world to gain more eyes and ears. It’s a very common spy tactic.
3. The Pipeline for Nation-State Hackers Can Begin on the Dark Side
One of the many [lessons] from the Mirai botnet saga is that capable hackers can end up working with or for the government.
It is a common perception in the security community that [young hackers] with technical skill sets end up working for the government. “If a young Russian hacker does something bad, and gets discovered by the Kremlin, then, all of the sudden, they become part of the Kremlin. They become a Russian operative,” Boddy said.
The aftermath of the Mirai botnet, however, shows that the same principle can apply in the United States. Mirai creators Paras Jha, Josiah White and Dalton Norman ultimately did not receive jail time for their IoT botnet high jinx, and began collaborating with the FBI before they were sentenced. The three received five years of probation and 2,500 hours of community service, which, in this case, involves working for the FBI.
4. The Risk of “Double-Dipping”
One assumption – or in some cases observation – in places like Russia is that elite hackers end up serving the whims of their government.
One possible outcome of such an arrangement is that those hackers, after working for the government during the day, will take what they learn from the process to engage in cybercrime after hours. “That is a common perception across the industry that we know happens,” Boddy said.
There’s a risk of something similar happening in the United States. Returning to the Mirai example, [the punishment for the three individuals behind the attack] is that they pay fines and perform community service. Part of their community service is working for the FBI.
“I’m not saying that these kids are getting turned from hackers to FBI informants, and then they’re taking tools and using them after work,” Boddy said. “But what I am saying is that we have the same problem that [countries like Russia] do with young, talented kids that have capabilities of doing things like this. And in some cases, you can even argue it is a talent, right? If you can download a script from Pastebin and launch a couple of tools, I wouldn’t necessarily consider you a hacker. These are script kiddies pushing buttons. But either way, we have the exact same problem inside of our own borders. We do go after people and prosecute them, but it’s not as if we don’t have the same problem that the rest of the world does.”
5. Botnet Authors Often Have Immature Motivations
The author of Mirai named the botnet after Mirai Kuriyama, the heroine of the Kyoukai no Kanata anime series. But that is but one example of the multitude of botnets inspired by anime. For instance, there is Shinoa, Miori and Owari. One aspect behind the popularity of anime characters is the background of the attackers.
The online gamer community, much of which also has a keen appreciation of anime, helps fuel the modern DDoS industry. “Years ago, kids figured out that if they just DDoS each other’s gaming platform, they can increase their odds of winning,” Boddy said.
As a result, entrepreneurial hackers began marketing their goods and services to gamers who would use DDoS attacks to cheat in games like Minecraft or to target rival game servers.
From there, the use cases for such DDoS attacks began to grow to include cybercriminal activities like click fraud — or wreaking havoc at universities. Mirai mastermind Paras Jha repeatedly used Mirai to knock Internet services at Rutgers University offline. As a result of the settlement, Jha was ordered to pay $8.6 million in restitution to the university.
6. IoT Is Bringing Back Old-School Attacks While Enabling a Broad Spectrum of Port Attacks
“Before Mirai, we hadn’t seen a lot of telnet attacks simply because system administrators had gotten good at limiting insecure remote administration protocols via the internet,” Boddy said. “And all of a sudden IoT devices started getting deployed, and you saw this increase in telnet attacks.”
The variability of IoT devices also gives attackers a broad palette of potential ports to target. ‘We’re at a point where we’re tracking over 150 commonly used ports in IoT devices,” he added.