Last Friday’s attack that cut access to dozens of popular websites was likely carried out by kids rather than Russia or another state actor, according to a firm that’s been closely tracking the incident.
Security firm Flashpoint says in a new report that there’s little evidence to suggest Russia launched last Friday’s distributed denial of service (DDoS) attack that broke access to Amazon, Netflix, PayPal, Reddit, Spotify and others.
“Despite public speculation, Flashpoint assesses with a moderate degree of confidence that the perpetrators behind this attack are most likely not politically motivated, and most likely not nation-state actors,” the company said.
That the attack is likely not from a sophisticated or well-resourced group is no cause for comfort. Flashpoint’s chief suspect for the attack are unskilled ‘script kiddies’ who’ve hijacked millions of poorly secured internet-connected devices to attack core internet infrastructure.
The Friday attack targeted servers of Dyn DNS, a provider of a managed domain name service (DNS) to dozens of well-known internet firms. Dyn DNS’ customers rely on its servers to translate the name their users type into a browser to the numerical address of their servers. Its function on the internet magnified the impact of the attack.
While the exact size of the attack is still not known, at least one source of the attack, consisting of tens of millions of IP addresses, was from the so-called Mirai botnet, which relies on compromised web-connected surveillance cameras and other devices for bandwidth. Flashpoint helped Dyn analyze the source of the attack.
The Mirai malware is behind record breaking traffic attacks against French ISP OVH and the website of security reporter Brian Krebs, peaking at 1Tbps and over 600Gbps, respectively. The malware has brought renewed focus on the lack of security in IoT devices since many of them ship with insecure settings and can’t easily be patched by the vendor or user.
The US Department of Homeland Security on Monday said it held a call with 18 major communication service providers to share details about the incident. It said its National Cybersecurity and Communications Integration Center was working with law enforcement, the private sector and researchers to combat Mirai and threats like it.
In light of the US government recently blaming Russia for the hacks on the Democratic National Committee, some immediately blamed Russia for the attack on Dyn. Wikileaks also suggested the attacks were launched by its supporters. Another hacking group known as “New World Hackers” claimed credit for the attack.
Flashpoint believes that all these claims as “dubious and likely to be false”. As the firm points out, the command and control centre used in the attack on Dyn was also used against a video game company.
“The targeting of a video game company is less indicative of hacktivists, state-actors, or social justice communities, and aligns more with the hackers that frequent online hacking forums,” Flashpoint wrote. In other words, script kiddies.
Also, so far there’s no evidence that the attackers had attempted to extort Dyn DNS or sites affected by the attack.
The more likely culprit in this case is the same community from which the Mirai source code was leaked following the attack on Krebs’ website. Flashpoint singles out users of hackforms[.]net, who are known to create DDoS-for-hire services, renting out tools called “booters” and “stressers”.
“The technical and social indicators of this attack align more closely with attacks from the Hackforums community than the other type of actors that may be involved, such as higher-tier criminal actors, hacktivists, nation-states, and terrorist groups,” said Flashpoint.
“These other types of threat actors are unlikely to launch such an attack without a clear financial, political, or strategic objective, and they are very unlikely to launch an attack against a video game company.”