Massive botnet聽that crippled US web takes aim聽at Africa
A series of cyberattacks in Liberia this week has security researchers worried that attackers are testing a powerful digital weapon before turning it on larger targets in the US and Europe
The聽punishing assaults are being launched聽from a botnet built using Mirai 鈥 a toolkit that allows attackers to assemble large attack networks, or botnets, from millions of internet-connected devices. The botnet directs web traffic from those devices at a target to overwhelm it with a distributed denial of service, or DDoS, attack.
In this case, up to聽500 gigabits per second of traffic is being directed in short, intermittent bursts at the networks of the Liberian internet service providers (ISPs) that聽own the one cable connecting the country to the Internet, causing the networks to overload,聽
The botnet size and volume suggests that whoever is behind the Liberian attack is also responsible for last month's DDoS attack against Dyn, a firm that provides a key piece of internet infrastructure. That attack聽caused disruptions for sites such as The New York Times, Amazon, PayPal, and Spotify.
The attacks in Liberia "are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state," said Mr. Beaumont. "So far it appears they are testing denial of service techniques."
Late聽Friday, however,聽some dispute emerged over the scope of the damage caused by the attacks in Liberia. Dyn, the company attacked last month,聽said it could not find evidence suggesting聽Liberia's entire internet was knocked offline.聽
"While there may have been a DDoS attack against targets in Liberia, there is no evidence that the country was knocked offline," said Doug Madory, Dyn's director of internet analysis, in a statement.聽
Akamai, another firm that manages internet traffic, has seen no evidence of a complete internet outage either, it noted.
Yet, the ongoing situation in Liberia appear to confirm earlier concerns about criminals using Mirai to build massive attack networks of comprised of home routers, digital video recorders, web cameras, and other so-called Internet of Things (IoT) devices.聽
Security researchers have been worried about precisely such聽attacks聽ever since an unknown hacker publicly released Mirai this summer, making it possible for anyone to build IoT botnets relatively easily.
"The DDoS attack on Liberia seems to match earlier predictions about Mirai 鈥 or its owners 鈥 intentions: Start small, experiment, and continue testing capabilities on increasingly large and more interesting targets," said Jeremiah Grossman, chief of security strategy at the security firm SentinelOne.
"As for future likely targets, I can imagine other smaller and more notable countries 鈥 North Korea, for example 鈥 getting their internet connections 'stress' tested," Mr. Grossman said.
Twitter messages apparently posted by whoever is behind the Liberian attacks suggest interest in UK-based targets and in attacking researchers, according to Beaumont.
Theoretically, at least, an attack that could have US-wide impact similar to what聽some have said聽Libera is experiencing is possible, says John Pescatore, director of emerging security threats at the SANS Institute, a cybersecurity education organization. But, he said, US internet and tech firms also have many more protections in place for these kinds of attacks.聽
Even so, he said, situations like what's going on in Liberia show why the federal government needs to encourage ISPs to routinely include DDoS filtering as part of their standard service, says Mr.聽Pescatore. "This could be either though regulation or the federal government using its buying power to require all ISPs selling to the federal government to include denial of service filtering.
There are some cybersecurity experts, however, who believe the attacks in Liberia are more about demonstrating the capabilities of the Mirai botnet. With just one cable connecting it to the rest of the world, Liberia presents a relatively easy target, but it's not an accurate simulation for the effectiveness of a cyberattack on the US or Europe.聽
What鈥檚 likely happening instead is that whoever is behind the attacks wants to send another kind of message, said Chris Carlson, vice president of product management at of the firm Qualys.
"The botnet owner here could be demonstrating that he wields an asset much more powerful than what currently exists," he said. "This can force victims to pay extortion to avoid being [one] in the first place, or it can force attacked victims to pay extortion faster to restore service."
