This content is part of the Conference Coverage: RSAC 2019: Coverage of the premiere security gathering

FBI: How we stopped the Mirai botnet attacks

FBI Special Agent Elliott Peterson gave RSA attendees a behind-the-scenes look at the investigation into the Mirai botnet following the devastating DDoS attacks in 2016.

SAN FRANCISCO -- The ultrapowerful Mirai botnet DDoS attacks of 2016 took people by surprise, but Elliott Peterson said it shouldn't have.

Peterson, an FBI special agent with the field office in Anchorage, Alaska, shared new details at RSA Conference 2019 about the Mirai botnet and the FBI's effort to stop the threat. The session, "Mirai Nikki: The Future of DDoS," offered a behind-the-scenes look at the investigation into the 2016 distributed denial-of-service attacks and the lessons learned.

In September, three men -- Josiah White, Paras Jha and Dalton Norman -- were each sentenced to five years of probation and 2,500 hours of community service for their roles in creating and deploying the Mirai botnet malware. The men, who were also ordered to pay $127,000 each, pled guilty to various charges related to Mirai and "cooperated extensively" with the FBI, according to the Justice Department, in its efforts to identify other cybercriminals operating Mirai variants and to prevent further attacks.

The lead-up to the devastating DDoS attacks, powered largely by unsecured, connected devices, was full of "things that happened right under our noses," Peterson said. And arguably the biggest missed sign was the highly active underground market for booter or DDoS-for-hire services on sites like Hack Forums.

"There are these enormous ecosystems built around DDoS," he said. "And it's not something a lot of us paid attention to, and I think that's a shame."

Hack Forums was the epicenter of the DDoS world, where hackers could market and sell their DDoS-for-hire tools and services. Peterson explained how forum members would use booters to attack private servers running Minecraft, the popular sandbox PC game. Some of the most widely used Minecraft servers earned their hosts hundreds of thousands of dollars a year, he said, and a boutique economy had emerged around Minecraft server operators using DDoS attacks against other competing Minecraft servers to gain more players and, thus, earn more money.

Ironically, Peterson said, the Mirai botnet creators ran a small DDoS protection firm, called ProTraf Solutions. The company's financial struggles led White and Jha to explore the other side of the DDoS equation: Instead of offering defense services, they begin building what would become the Mirai botnet in the spring of 2016.

Hacker wars

White, Jha and, later, Norman, began selling their Mirai-powered booter service, which at its height had a "staggering" 650,000 compromised devices, Peterson said.

"The problem with IoT is that it's a large attack surface," he said, adding that while most booter services offer between 1 GBps and 30 GBps of DDoS volume, Mirai generated approximately 1 TBps.

Eventually, the Mirai group came up against another DDoS-for-hire group known as Lizard Squad. White, Jha and Norman even redesigned Mirai to kill competing botnet processes and shut off Telnet to make sure Lizard Squad and other competitors could also compromise the IoT and connected devices in Mirai's army.

Over the summer, the two groups launched a botnet in an effort to gain an advantage in the booter black market.

The FBI had been investigating Lizard Squad and other booter services in conjunction with U.K. and Israeli law enforcement agencies, Peterson said, but the intelligence agency was unaware of the Mirai Group, its activity on Hack Forums and the hacker battles. In early September, law enforcement agencies took down Lizard Squad's vDOS booter service.

That takedown had the unintended consequence of emboldening the Mirai Group, because its chief rival in the market had just been removed, Peterson said. The group then picked fights with people in online forums, and those fights ended with massive Mirai DDoS attacks, he said.

"I don't think this is well-known or even public yet ... but there was a period in mid-September where they were wielding this thing like a club," Peterson said.

But, again, these attacks weren't on the FBI's radar, because the victims were other hacking groups and booter services. It wasn't until the Mirai Group used the full power of the botnet to attack the Krebs on Security website, the homepage of infosec journalist Brian Krebs, in retaliation for an article he wrote on booter services. The attack was so powerful that it knocked Krebs' site offline for several days and forced Akamai Technologies to drop the site from its DDoS protection service. Krebs moved the site to Google's Project Shield service.

Following the attack on Krebs' site, the creators released the source code for the Mirai botnet in an attempt to divert law enforcement's attention. Soon after the release, other Mirai attacks were directed at companies such as domain name system service provider Dyn, though Peterson said law enforcement officials believe those attacks were the work of other suspects that had obtained the Mirai source code.

Botnets like Mirai of 2016 are able to quickly infect targeted devices.
How botnets like Mirai work

Finding the Mirai botnet creators

After Krebs moved his site to Project Shield, he gave Google permission to share the attack data with the FBI, which Peterson said was hugely helpful in the investigation. Several of the IP addresses used in the Mirai attacks came from Alaska, where Peterson and the Anchorage field office took ownership of the investigation. Many of the compromised devices used in the botnet were based in the state.

White, Jha and Norman took many steps to conceal their identities and cover their tracks, including the use of several aliases and even a fake dox that implicated an individual in Turkey. Still, Peterson said, the Mirai authors underestimated the extent to which the FBI would investigate and failed to recognize how metadata around their anonymous accounts and aliases could reveal their identities.

Their OPSEC, for the most part, was incredible. But they also had made the mistake of bragging to their friends.
Elliott PetersonFBI special agent

"Their OPSEC [operational security], for the most part, was incredible," Peterson said. "But they also had made the mistake of bragging to their friends."

In early 2017, Krebs published an investigative report into Mirai that publicly named White and Jha as the likely creators of the botnet. Later that year, after extensive work by FBI investigators and federal prosecutors, White, Jha and Norman agreed to plead guilty to several computer crimes and also cooperate with law enforcement on the investigation. Peterson said the trio expressed a willingness "to an unusual degree" to help investigators with other booter services and Mirai-related attacks.

"They were ready to, as I called it, put the genie back in the bottle," he said. "They put Mirai out there, and it caused a lot of problems. Well, what are you going to do to make up for that?"

Part of their atonement, Peterson said, included a new tool to prevent Mirai-like attacks. The three men built an IoT botnet honeypot, called WatchTower, which he during the presentation via a video demonstration narrated by White, Jha and Norman.

Lessons learned

The Mirai botnet attacks in 2016 were a watershed moment for distributed denial-of-service threats that offered valuable lessons for both law enforcement and the infosec community, Peterson said.

For the FBI's part, Peterson identified three things that could have been done differently that would have allowed law enforcement to act sooner.

"We could have looked harder at the stresser marketplace," he said. "We could have looked closer at the dialogues these guys were having with each other, and I think we could have looked at Lizard Squad as more than just a nuisance and also as a threat."

Peterson also pointed out that new threats sometimes evolve out of direct competition between hacker groups, rather than actions from law enforcement or cybersecurity vendors.

As for enterprises, he advised them to examine and shut off any insecure or unused protocols, such as Telnet, Simple Network Management Protocol and UPnP, to prevent attackers from gaining access to IoT or connected devices. In addition, he recommended conducting reviews for any connected devices that may have default credentials and implementing new passwords as soon as possible.

Scott Shapiro, a professor at Yale Law School, said Peterson's talk was valuable because it provided details about the Mirai botnet that weren't publicly available.

Shapiro, whose courses include cybersecurity and hacking law, said those kinds of details illuminate how the Mirai creators went from offering a legal DDoS protection service to crossing several legal and ethical lines with their botnet.

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing