Threat Management, Network Security, Vulnerability Management

Mirai Botmaster behind Deutsche Telekom router hijack pleads guilty

A Mirai botmaster has plead guilty in a German court on July 21. The 29-year-old hacker, calling himself “BestBuy” or “Popopret”, admitted to the hijack of 900,000 Deutsche Telekom (DT) customers last year as well as a similar attack a short while later on over 100,000 British routers. He will be sentenced on July 28 and is currently facing up to ten years in prison.

The incident was an attempt by BestBuy to to add to his botnet, by deploying a variant of Mirai malware on the hundreds of thousands of routers.

BestBuy was arrested in London toward the end of February after an international arrest warrant was issued by the Cologne police.

The hacker used a variant of Mirai to build his botnet which he would rent out to bidders. He discussed his hiring by a Liberian ISP who paid him to DDoS its competitors within the country. This may be the same attack that was alleged to take out the internet for the entire country. While the scale of those attacks were disputed, this admission could be confirmation of them.

It has been speculated that the perpetrator of that attack was the same hacker that attacked Dyn.

Mirai malware loomed large last year, as its botnets broke DDoS records on top of each other. A Mirai botnet first targeted investigative journalist Brian Krebs with a DDoS attack of 620 Gbps, one of the largest that had ever been seen. A short while later, a Mirai botnet attacked the French hosting company, OVH, with a flood power of over 1 terabyte, making it the largest DDoS attack ever recorded. The DDos attack on Dyn, the DNS provider which counts Twitter, Reddit and Netflix as its customers, caused widespread outages at some of the most popular websites around. The attack topped out at a flood power of 1.2 terabytes, meaning that Mirai had broken its own record only one day after setting it.

Cobbled together from the great wealth of vulnerable IoT devices, Mirai's masters would use poorly secured WiFi fridges, IP cameras and routers to stock their sprawling botnets.

One of the more shocking elements of this story was just how easy it was to raise these zombie armies. Once Mirai infects a device, it scans for similar devices in proximity and is then spread by guessing that device's password from a library of around 150 common passwords. That simple routine, proved remarkably successful and damning for the security of IoT devices.

In the wake of the November 2016 attack on DT routers, cyber-security firm Flashpoint estimated that there could be five million vulnerable devices worldwide, leaving the wielders of Mirai malware with ample room to spread.

There was potential for just as many masters too. The Mirai source code was eventually published, allowing many, even minor actors to write their own powerful variants. A late 2016 Institute of Critical Infrastructure Technology report, entitled Rise of the Machines, called it a ‘quantum leap' in cyber-criminality “not because of sophistication or any innovative DDoS code, rather it offers a powerful development platform that can be optimised and customised according to the desired outcome of a layered attack by an unsophisticated adversary.”

This particular attack used a variant of Mirai to take over nearly a million DT routers and cause widespread internet service outages which were reported not only in Germany, but in Brazil and the UK too.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.