New research on the source of Friday’s DDoS attack against DNS provider Dyn indicates that script kiddies are likely responsible, rather than a politically motivated actor.
Researchers at Flashpoint dismissed numerous claims of responsibility that separately linked the attack to the Russian government, WikiLeaks or the New World Hackers group. Instead, the threat intelligence company said with “moderate confidence” that the attacks are linked to the Hackforums community. Hackforums is an English-speaking hacking forum and the place where the source code for the Mirai malware was publicly released by a hacker known as Anna-Senpai.
Director of National Intelligence James Clapper said today as well that it’s likely the attack was not carried out by nation-state actors during testimony at the Council on Foreign Relations.
“That appears to be preliminarily the case,” Clapper was quoted in The Hill. “But I wouldn’t want to be conclusively definitive about that, specifically whether a nation state may have been behind that or not.”
Flashpoint hinges its conclusion on a number of factors, starting with public release of the Mirai source code. Mirai scans the Internet for IoT devices such as those used in the attack on Dyn, Krebs on Security and French webhost OVH. The malware uses 60 known weak and default credentials on the IP-enabled cameras, DVRs and home networking gear to access the devices before corralling them into giant botnets used to DDoS targets. Since the source code was made public, the number of bots compromised by the malware has more than doubled, Level 3 Communications, a Colorado telco and ISP, said.
“The personalities involved in this community are known for creating and using commercial DDoS tools called booters or stressers. The hackers offer these services online for pay, essentially operating a DDoS-for-hire service,” said Allison Nixon director of security research at Flashpoint. “One of the few known personalities that have been associated with Mirai malware and botnets is known to frequent these forums. …The hackers that frequent this forum have been previously known to launch these types of attacks, though at a much smaller scale.”
Supporting its claim, Flashpoint said the infrastructure used in Friday’s DDoS attack was also used to target a well-known and unnamed video game company.
“While there does not appear to have been any disruption of service, the targeting of a video game company is less indicative of hacktivists, state-actors, or social justice communities, and aligns more with the hackers that frequent online hacking forums,” Nixon said, adding that the script kiddies likely involved in the attack are less motivated by financial or political gain, and more by notoriety, or to “cause disruption and chaos for sport,” Nixon said.
Nixon added that skilled criminals or nation-state groups are less likely to launch DDoS attacks without clear financial, political or strategic gains.
“Participants in the Hackforums community have been known to launch DDoS attacks against video game companies to show off their credentials as hackers of skill, or to troll and gain attention by causing disruption to popular services,” Nixon said.
Large-scale DDoS attacks such as the one targeting Dyn, Krebs and others are frequently used to extort money from large enterprises, financial services organizations or online entities such as gambling sites that cannot afford sustained outages. No extortion attempts have been reported around Friday’s attacks, which affected Internet service on the East Coast of the United States and kept high-profile services such as Twitter, Github and others off line for hours throughout the day.
“Dyn DNS is a central target whose outage would affect a wide variety of website and online services, and does not disproportionately affect any one political entity. Such a broad scope of targeting does not lend itself to a politically motivated attack,” Nixon said. “Additionally, the indicators that we do have point to specific communities that have historically been apolitical.”
A number of entities have claimed responsibility for the attacks, all of which Flashpoint rebukes. On Saturday, a hacker known as The Jester said he had defaced the Russian Foreign Ministry website with messages denouncing Russia’s alleged involvement in attacks attempting to influence the U.S. presidential election. WikiLeaks, for its part, got involved in the fray following the attacks, posting to its Twitter feed messages asking its supporters to stop the attack and that they had proven their point. Also on Saturday, the New World Hackers group also claimed responsibility for what it was calling record-breaking attacks.
In the meantime, the Chinese manufacturer of equipment used to build the IP-enabled cameras and DVRs used in the attack said yesterday that it intended to recall vulnerable devices. It also blamed operators for failing to installed firmware updates that closed off telnet access to devices and for not changing default passwords. Hangzhou Xiongmai also threatened legal action through China’s Ministry of Justice against media outlets reporting its involvement in the attack.
“The attacks on Dyn also showed the very steep price we pay for cheap. Attackers were able to turn the low-cost devices, appliances and things we deployed to make life easier against us. Primarily, there has been a focus on speed-to-market to create this ubiquitous data environment with little or no incentive for investment in security and continued maintenance,” said Michael Daly, CTO for Raytheon’s cybersecurity business.
“In fact, it is likely the owners of these low-cost gadgets who may or may not have updated their latest software patch, have no idea they are part of the problem,” Daly said. “This could be the event that leads to firewalls at home taking on the added responsibility of playing traffic cop to prevent IoT devices from having unfettered access to the rest of the Internet.”