The Mirai DDoS attack that took down a slew of prominent websites last Friday was most likely initiated by users from hackforums[.]net and not a nation-state or cybercriminal organization, according to Flashpoint.
In a blog posted today Flashpoint researchers Allison Nixon, John Costello, Zach Wikholm discounted responsibility claims made by New World Hackers, along with the vigilante hacker The Jester’s accusation that the Russian government was behind the attack and instead called out hackforums[.]net users as a possible culprit. Instead, while not naming a possible perpetrator, Flashpoint believes the attackers were from a hacker forum.
“Flashpoint assesses with moderate confidence that the most recent Mirai attacks are likely connected to the English-language hacking forum community, specifically users and readers of the forum “hackforums[.]net.” The personalities involved in these community are known for creating and using commercial DDoS tools called “booters” or “stressers.” The hackers offer these services online for pay, essentially operating a “DDoS-for-hire” service,” the researchers wrote.
The attack started at 7:00am ET on October 21 hitting three Dyn data centers in the northeastern United States, which helped localize the damage for a time. A second wave of attacks came through around 1pm followed by a third that evening, but both of these were stopped by Dyn and caused no damage. In the end PayPal, Twitter, Reddit, GitHub, Amazon, Netflix, Spotify and RuneScape.
Two other pieces of circumstantial evidence used by Flashpoint in coming to its conclusion are, first, the hacker Anna_Senpai, who released the source code for Mirai in October, frequents this forum. Next is that others from this forum have been known to launch similar, if smaller, attacks.
As further proof that this DDoS attack was not politically or financially motivated Flashpoint noted that these tend to be launched against a business competitor, gambling site or Bitcoin exchange in order to blackmail them into making a payment to have their service restored.
“Despite various groups claiming responsibility for the attack, there have been no publicly available indicators of extortion — attempted or not — against Dyn DNS or any of the sites affected by the attack,” the researchers wrote.
There also does not appear to be a political angle to the attack as all the victims are apolitical.
The Flashpoint report said the explosion of Internet of Things devices enabled the attack.
Much of the malicious traffic came from IoT devices compromised with Mirai IoT botnet malware, whose source code was recently released after it was used against security researcher Brian Krebs in September. The malware allows attackers to take over vulnerable devices such as Internet-connected cameras, routers and DVRs, and utilize them for DDoS assaults. Some experts believe this brazen attack could serve as an impetus for change, prompting IoT manufacturers and maybe even device users to be more proactive with security.