Research points to amateurs for unprecedented DDoS attack
Friday’s unprecedented and massive DDoS attack against American targets looks to be the work of amateur hackers and not a nation-state or politically motivated attacker, according to new research from Flashpoint.
“Despite public speculation, Flashpoint assesses with a moderate degree of confidence that the perpetrators behind this attack are most likely not politically motivated, and most likely not nation-state actors,” the researchers wrote.
Director of National Intelligence James Clapper made the same assessment on Tuesday, asserting that it appears the attack wasn’t the work of a nation-state actor.
“That appears to be preliminarily the case,” Clapper said at the Council on Foreign Relations. “But I wouldn’t want to be conclusively definitive about that, specifically whether a nation state may have been behind that or not.”
The public speculation about who was behind the hack include The Jester blaming Russia and WikiLeaks blamed—or credited—their own supporters. Another group claimed credit on Saturday.
Flashpoint points to a few key factors to support their conclusions. First, the source code behind the Mirai botnet is now publicly available and has doubled in size since that release. The researchers point to Hackforums.net, a hacking community frequented by inexperienced amateurs and salesman offering denial-of-service products for sale.
“The hackers offer these services online for pay, essentially operating a ‘DDoS-for-hire’ service,” the researchers wrote. “One of the few known personalities that have been associated with Mirai malware and botnets is known to frequent these forums.”
The suspect, who goes by the handle ‘Anna-Senpai,’ is the person who originally released the Mirai source code earlier this month. It was subsequently used in attacks against the Krebs on Security blog as well as the French internet service and hosting provider OVH.
This lines up both technically and historically with the Hackforums community. Denial-of-service is a relatively easy to pull off attack of the sort seen regularly on Hackforums. The attack against a video game company also indicates the likely involvement of kind of young, amateaur actors who frequent Hackforums.
Last week’s attack impacted major American websites including PayPal, Twitter, Reddit, GitHub, Amazon, Netflix, Spotify and the video game Runescape. The incident attracted international attention. Sen. Mark R. Warner, D-Va., announced Tuesday he was probing the attacks on Internet of Things devices that boast the weak security that made Friday’s attack not just possible, but nearly inevitable and widely predicted.
Warner wrote and released letters to the Federal Communications Commission, Federal Trade Commission, and the Department of Homeland Security’s National Cybersecurity & Communications Integration Center asking for more information on preventing IoT hacking.
“The weak security of many of the new connected consumer devices provides an attractive target for attackers, leveraging the bandwidth and processing power of millions of devices, many of them with few privacy or security measures, to swamp internet sites and servers with an overwhelming volume of traffic,” Warner wrote. “I am interested in a range of expert opinions and meaningful action on new and improved tools to better protect American consumers, manufacturers, retailers, Internet sites and service providers.”
Friday’s attack resulted in a recall of thousands of webcams from the Chinese electronics firm Hangzhou Xiongmai.
“While there does not appear to have been any disruption of service, the targeting of a video game company is less indicative of hacktivists, state-actors, or social justice communities, and aligns more with the hackers that frequent online hacking forums,” the researchers argued.
The hacking community they blamed “can be motivated by financial gain,” the researchers concluded, “but just as often will execute attacks such as these to show off, or to cause disruption and chaos for sport.”