DDoS Gang Wars – The Millennial Mobsters

“This is easily the longest story I’ve ever written on this blog. It’s lengthy because I wanted to walk readers through my process of discovery, which has taken months to unravel. The details help in understanding the financial motivations behind Mirai and the botnet wars that preceded it.”

This quote is from an 18 Jan 17 blog, Who is Anna-Senpai, the Mirai Worm Author?,  by Brian Krebs of KrebsOnSecurity. His story begins on September 22, 2016,  when he was hit by  a distributed denial-of-service (DDoS) attack.  His site “was forced offline for nearly four days after it was hit with “Mirai,” a malware strain that enslaves poorly secured Internet of Things (IoT) devices like wireless routers and security cameras into a botnet for use in large cyberattacks.”

The initial attack was just the start of the story. “Roughly a week after that assault, the individual(s) who launched that attack — using the name “Anna-Senpai” — released the source code for Mirai, spawning dozens of copycat attack armies online.” What helped promote those copycat attacks is that “A great deal of DDoS activity on the Internet originates from so-called ‘booter/stresser’ services, which are essentially DDoS-for-hire services which allow even unsophisticated users to launch high-impact attacks. And as we will see, the incessant competition for profits in the blatantly illegal DDoS-for-hire industry can lead those involved down some very strange paths, indeed”

Yes, it seems that some of those “unsophisticated users” can very quickly become sophisticated.

This lengthy blog is a real eye-opener, reminiscent of the 1920’s gang wars between prohibition era mobsters, but fortunately without the bloodshed. At least not yet. So far, all the damage appears to be financial. The 18 Jan 17 KrebsOnSecurity blog gives links to earlier blogs and shows emails between the participants. Brian Krebs notes “I was desperately seeking the missing link between seemingly unrelated people and events; sometimes I was inundated with huge amounts of information — much of it intentionally false or misleading — and left to search for kernels of truth hidden among the dross. “

This painstaking research unearthed the first clues:  “Mirai was just the latest incarnation of an IoT botnet family that has been in development and relatively broad use for nearly three years.” The clues led to identity of Anna-Senpai and also to other international DDoS perpetrators. One of the perpetrators brags “that he led the FBI on a wild goose chase.”

What is astonishing is the ages of those involved.  Some of the earlier attacks were against a major  CDDoS protection company and were directly preceded by a threat. That threat was made by the then-17-year-old owner and sole employee of a competing DDoS protection company.  The 18 Jan 17 blog  gives a link to a separate 19 Oct 16 story Spreading the DDoS Disease and Selling the Cure, which points to a 19-year-old Californian. In turn, that story has a link to a Sept. 8 story, Israeli Online Attack Service Earned $600,000 in Two Years, where the hacked vDOS database indicated the service was run by two 18-year-old Israeli men.

In the 18 Jan 17 blog  Brian Krebs is now “confident to have uncovered Anna-Senpai’s real-life identity, and the identity of at least one co-conspirator who helped to write and modify the malware.” This blog is recommended reading for insight into the murky world of the millennia mobsters, which also happens to be our own everyday world.

One of the Brian Krebs observations was that “ironically, many of the devices most commonly infected by Mirai and similar IoT worms are security cameras.”

Some further insights on IoT weaknesses is given in a January 17, 2017  IoT Evolution interview  with David Sovie, Global Managing Director, Electronics & High-Tech Industry, Accenture,  High-Tech Story to Watch in 2017: How to Secure the IoT. This interview quotes  new U.S. Department of Homeland Security report titled, Strategic Principles for Security the Internet of Things, which warns that “While the benefits of IoT are undeniable, the reality is that security is not keeping up with innovation.” Home surveillance cameras are identified as a popular target for hackers, who “took control of these devices to attack other devices on the network, which served as gateway to take down the company’s routers and attack the entire corporate infrastructure including the popular websites.”

The interview also notes that “Over the past two years, consumer purchases of IoT devices such as wearable health devices, connected vehicles, and home monitoring devices have not grown as quickly as once predicted. Security concerns are among the main reasons.” The interview concludes with some tips on addressing “these very real security concerns to enable continued growth of the Internet of Things.”