Mirai Masterminds Helping FBI Snuff Out Cybercrime

The three hackers behind the infamous Mirai botnet have been helping law enforcement take down cybercriminals across the globe.

The three masterminds behind Mirai – the infamous botnet known for taking down internet services in a 2016 DDoS attack – will work with the FBI in future cybercrime investigations as part of their sentencing for creating and operating the botnet.

The three hackers, Paras Jha (22, of New Jersey), Josiah White (21, of Pennsylvania), and Dalton Norman (22, of Louisiana) were sentenced Tuesday in Alaska, after each pleaded guilty to violating the Computer Fraud and Abuse Act in operating the Mirai botnet.

As part of their sentencing, the Chief U.S. District judge mandated the three each serve a five-year probation – and part of that involves cooperating with the FBI on cybercrime and cybersecurity investigations. Perhaps more surprisingly, the three have already provided assistance to the FBI, contributing to active cybercrime investigations.

“After cooperating extensively with the FBI, Jha, White, and Norman were each sentenced to serve a five-year period of probation, 2,500 hours of community service, ordered to pay restitution in the amount of $127,000, and have voluntarily abandoned significant amounts of cryptocurrency seized during the course of the investigation,” according to a Tuesday release about the sentencing.

The October 2016 attack overwhelmed servers at Dynamic Network Services (Dyn) and led to the blockage of more than 1,200 websites, including Netflix and Twitter.  It was orchestrated as a distributed denial of service attack through 300,000 vulnerable Internet of Things devices such as webcams, routers and video recorders.

The Justice Department said that the three men’s involvement with the original Mirai variant ended in the fall of 2016 when Jha posted the source code for Mirai on a criminal forum. Since then, other criminal actors have used Mirai variants in a variety of other attacks.

According to Jha’s plea agreement, in January 2017, the three also leased access to their botnet to other criminals in exchange for payment. And, between December 2016 to February 2017, the three hackers also successfully infected over 100,000 U.S.-based computing devices with malicious software – including home internet routers. These infected devices were used in an advertising fraud scheme – specifically a method called “clickfraud,” which is a type of internet-based scheme that makes it seem as if a real user has “clicked” on an advertisement for the purpose of artificially generating revenue. The play earned the three around 100 BTC ($180,000 in value as of Jan. 2017), according to Jha’s court document.

While documents did not reveal details about how the three sentenced had previously helped the FBI, according to a Wired report, people familiar with the matter said that they have contributed to at least a dozen cases across the globe. That includes cases such as an APT from a nation-state hacking group, as well as a DDoS campaign launched around the holidays.

Ben Herzberg, director of threat research at Imperva, told Threatpost that the trio may have invaluable knowledge of more severe criminals as they leased botnets to other hackers.

“Although my initial reaction when hearing about it was that criminals should pay the price for what they do, we have to look at the ‘big picture,'” he told Threatpost. “By being involved in Mirai and such activities, these people may have been exposed to more details of other criminal cyber activity.”

That could include knowledge of other DDoS attacks, including attacks launched through misconfigured Memcached servers accessible via the public internet; or the VPNFilter IoT botnet, which infected almost a million consumer-grade internet routers (i.e., Linksys, MikroTik, Netgear, and TP-Link) in more than 50 countries in a very short amount of time.

Despite the trio’s assistance when it comes to cybercrime, Mirai still remains a dangerous and evolving threat in the cybersecurity landscape; in fact, a Kaspersky Lab report published this week found that the Mirai botnet family is the top downloaded malware when it comes to IoT attacks. Mirai and its variants have remained a top threat as the malware’s technical makeup, capabilities and targets continue to evolve.

However, “The silver lining here, in my opinion, is that the Mirai authors were brought to justice,” Nadav Avital, threat research manager at Imperva, told Threatpost. “Unfortunately,  the attribution problem, in the cyber crime world, is very difficult and consequently not enough criminals are apprehended.”

Suggested articles