Some have worried that the massive cyberattack that disrupted the Internet on Friday was the work of Russian government-backed hackers, politically motivated hacktivists or sophisticated cybercriminals. But researchers at cyber-intelligence firm Flashpoint say the Internet meltdown may have been carried out by amateurs who haunt a popular hacking forum.
Flashpoint helped Web service provider Dyn determine that hacked Internet-connected devices were involved in the attack. If Flashpoint is right, the attack shows that even hobbyists can cripple the Internet's fragile infrastructure. When asked about Flashpoint's research, Dyn pointed to a blog post on its site Wednesday that said it's “collaborating in an ongoing criminal investigation of the attack and will not speculate regarding the motivation or the identity of the attackers.”
The code for the malware Mirai, which was used in Friday's attack, was posted roughly one month ago on an online community called HackForums.net by a hacker using the handle “Anna-Senpai,” as first reported by security journalist Brian Krebs. The same user is believed to be the person behind earlier attacks using Internet of Things devices controlled by Mirai, which last month targeted Krebs's website and a French cloud provider called OVH, according to Flashpoint. The Post was unable to make contact with the forum user.
Once the code was let loose online, almost anyone could have used it or tweaked it for their own purposes, said Ben Herzberg, a security research manager at cybersecurity firm Imperva. But Flashpoint said its assessment points to HackForums users. People posting on the site regularly trade tips on malware, and some users have created tools that can launch digital assaults similar to the one that hit Dyn on Friday. Some even offer to carry out cyberattacks for a price, according to Flashpoint.
The site's administrator, who goes by the pseudonym Omniscient, described HackForum in an emailed statement as a community "mainly devoted to like-minded individuals who believe in learning new technical computer skills including security aspects."
"While we'd like to see a higher moral standard from members we also can't force ethics onto people simply with policy," the person said. The site has strict rules that forbid certain topics, but "tries not to get involved in member content and censorship," the administrator added.
HackForums users frequently target video game networks as a way to get attention and prove their skills, according to Flashpoint. Members have been linked to the hacking group that claimed responsibility for knocking the PlayStation and Xbox networks offline on Christmas Day in 2014. According to a Tuesday blog post, Flashpoint discovered that the same infrastructure used to attack Dyn was also used to target “a well-known video game company.” A post on HackForums claims the original target of Friday’s attack was the PlayStation Network and that Dyn was essentially collateral damage. Sony did not immediately respond to a request for comment on that claim.
Those clues point to amateur hackers — commonly known in hacker circles as “script kiddies” — as the culprits behind the Friday attack, according to Flashpoint.
“The technical and social indicators of this attack align more closely with attacks from the [HackForums] community than the other type of actors that may be involved, such as higher-tier criminal actors, hacktivists, nation-states, and terrorist groups,” the Flashpoint researchers wrote.
Other experts agree with Flashpoint’s assessment. “I think they are right. I don't believe the Friday attackers were financially or politically motivated,” said Mikko Hypponen, chief research officer at cybersecurity firm F-Secure. “It was such an untargeted attack, it's hard to find a good motive for it. So, kids.”