A hacker that goes by the name “BestBuy” admitted to a German court on Friday that he was behind an attack last year that knocked close to 1 million customers of German ISP Deutsche Telekom offline.
The suspect is a 29-year old British man who is only identified as “Daniel K.” He was arrested Feb. 22 by the British National Crime Agency at the request of Germany’s Federal Criminal Police Office. Daniel K. pleaded guilty to masterminding the attacks that used Mirai malware to hijack routers, surveillance cameras and baby monitors and carry out denial of service attacks.
In November, a Mirai variant was blamed for a DDoS attack that took down nearly 1 million Deutsche Telekom DSL routers. The Deutsche Telekom attack was just one of many massive Mirai-related distributed denial-of-service attacks last year including one in October against DNS provider Dyn and one in September targeting security journalist Brian Krebs’ website.
At the time, the uptick in Mirai attacks was attributed to the fact the Mirai source code was made public and modified by several threat actors.
According to reports, Daniel K. admitted to creating a customized version of the Mirai malware to target at first German customers of Deutsche Telekom. According to authorities, he also targeted UK ISPs, commandeering more than 100,000 routers. He has not been charged in relation to that attack.
German media is reporting that Daniel K. was allegedly paid about $10,000 by a Liberian telecommunications firm to carry out the DDoS attack against competitors.
In February, when Daniel K. was arrested, Cologne public prosecutor Dr. Daniel Vollmert told SkyNews that the hacker faced a charge of attempted computer sabotage. If charged in Britain, Daniel K. could face a 10-year jail sentence if convicted, the report stated. German prosecutors had alleged the man offered to sell the botnet over the dark web as a DDoS service, SkyNet reported.
While the hacker’s identity is being shielded, Krebs believes Daniel K. or BestBuy is likely a U.K. man named Daniel Kaye. By tracing registration data associated with domain names used to coordinate the activities of the Mirai botnet, Krebs believes BestBuy is not only Daniel Kaye, but also the hacker behind the remote access Trojan GovRAT. “The trojan (GovRAT) is documented to have been used in numerous cyber espionage campaigns against governments, financial institutions, defense contractors and more than 100 corporations,” Krebs wrote in a post earlier this month.
“Mirai was initially able to create the devastating and record-breaking attacks that were observed against the security blog ‘Krebs on Security’ as well as hosting company OVH and ISP Dyn because there were only a few variants that were competing for a large pool of vulnerable devices,” wrote Flashpoint in November. “After the source code for Mirai and its exploitation vector were released on hackforums[.]net, the situation changed dramatically and the number of independent Mirai operators attempting to exploit the same IoT device pool subsequently increased.”
Flashpoint said after the initial waves of attacks, a turf war ensued, and subsequent attacks were smaller. In February, a variant of the Mirai malware targeted a U.S. college with a marathon 54-hour long attack.
In April, an unknown white hat hacker was responsible for creating the Hajime IoT botnet and Hajime malware that had a mission to secure IoT devices vulnerable to the notorious Mirai malware.