Mirai creators helping FBI crack cybercrime cases
- By Derek B. Johnson
- Sep 20, 2018
The three American teenagers who created the Mirai botnet are apparently so good at tracking and identifying criminal activity that the government wants them to continue helping the FBI with cybercrime investigations.
The Department of Justice requested that the community service requirement for Paras Jha, Josiah White and Dalton Norman be raised from 200 to 2,500 hours, with tasks redefined to include continuing work with the FBI on cybercrime and cybersecurity cases.
"The plea agreement with the young offenders in this case was a unique opportunity for law enforcement officers, and will give FBI investigators the knowledge and tools they need to stay ahead of cyber criminals around the world," said U.S. Attorney Bryan Schroder in a statement announcing the sentence.
In court documents, U.S. lawyers revealed that the trio has spent the past year working closely with the FBI's Anchorage, Alaska, office, applying the same skillset they once used as cyber criminals to find "novel ways" to crack down on botnet crime.
The three men worked "exhaustively" to identify botnet operators and proxy networks used to launch distributed denial-of-service attacks since being arrested and pleading guilty in 2017 to multiple violations of the Computer Fraud and Abuse Act, said Adam Alexander, assistant U.S. attorney for Alaska, where the case was investigated.
"By working with the FBI, the defendants assisted in thwarting potentially devastating cyberattacks and developed concrete strategies for mitigating new attack methods," Alexander wrote in court documents.
Alexander also credited them with helping to mitigate a new attack vector using memcached servers capable of exponentially amplifying DDoS attacks. The vulnerability, which security researchers at the time characterized as "rare," led to a series of massive DDoS attacks in Europe and the U.S. earlier this year.
The three worked with the FBI and security vendors to identify vulnerable servers and communicated with affected companies to quickly and drastically curb the volume and effectiveness of the attack to "mere fractions" in a matter of weeks. The defendants also helped reverse engineer botnet computer code, developed tools to help law enforcement examine cryptocurrencies, participated in briefings with companies and security researchers and reconfigured data seized from another notorious botnet, Kelihos, so that law enforcement could identify and notify victims.
Jha, White and Norman pleaded guilty in December 2017 to hijacking hundreds of thousands of internet-connected devices in order to execute DDoS attacks against businesses and competitors in service of extortion and click-fraud schemes. Their botnet, nicknamed Mirai, was substantially more powerful and sophisticated than others, and investigators characterize its activities against U.S. and European hosting companies in September 2016 as "the largest such [DDoS] attack ever recorded."
While attempting to throw investigators off of his trail, Jha posted the source code for Mirai to the internet in September 2016, a step that prosecutors called "the most damaging and significant acts," noting that the code has since "become the progenitor to countless descendant variations" of botnets worldwide.
In a Sept. 18 post, cybersecurity company Kaspersky Lab said that Mirai code still serves as "cybercriminals preferred option" for downloading malware onto internet-connected devices.
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at firstname.lastname@example.org, or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.