Analysts mixed on reason for Liberia Mirai attack

A Mirai botnet-fueled distributed denial of service (DDoS) attack reportedly incapacitated internet operations across the West African coastal nation of Liberia earlier this week.

A large botnet operation dubbed Shadows Kill targeted Liberian IP addresses with a DDoS attack over several days this past week, prompting speculation as to the perpetrators' true motive.
A large botnet operation dubbed Shadows Kill targeted Liberian IP addresses with a DDoS attack over several days this past week, prompting speculation as to the perpetrators' true motive.

A barrage of Mirai botnet-fueled distributed denial of service (DDoS) attacks reportedly incapacitated Internet operations across the West African coastal nation of Liberia earlier this week, bu industry researchers had mixed views on the rationale behind the attack and damage inflicted.

In a Thursday post on the publishing site Medium, independent researcher Kevin Beaumont reported a series of “continued short duration attacks” – perpetrated by a Mirai botnet composed of Internet of Things devices such as CCTV cameras – that may have crippled Liberia's Internet infrastructure. Beaumont linked the attacks to the same actor that launched a massive attack against the DNS service Dyn on Oct. 21, knocking out such websites as Amazon, Reddit and Twitter.

As a counterpoint, security researcher Brian Krebs in a blog post Friday cast doubt on the overall seriousness of the attacks, citing a pair of Dyn Tweets that downplayed their impact. Additionally, Daniel Brewer, general manager at the Cable Consortium of Liberia, told Krebs that its monitoring systems showed no downtime – although a traffic analysis by content delivery network provider Akamai Technologies did register a dip in Internet activity (not necessarily attributed to any attacks).

“While it is likely that a local operator might have experienced a brief outage, we have no knowledge of a national Internet outage and there are no data to substantial [sic] that,” Brewer told Krebs.

Information on the Liberia attacks was also disseminated via the @MiraiAttacks Twitter feed, which was established by blog site MalwareTech in order to track various Mirai botnets' activities. According to the feed, one particular set of attacks that took place on 2 November lasted anywhere from a minute to an hour. A WHOIS search of attacked IP addresses shows that this particular botnet concentrated its efforts on Lonestar Cell MTN, the largest telecommunications network in Liberia. The onslaught appears to have stopped as of 3 November.

The perpetrator was Botnet #14, the largest of all the Mirai botnets, whose existence predates the Dyn incident and whose attacks have typically reached over 500 Gbps, wrote Beaumont.

Liberia has only one underwater Internet cable, meaning the country has no redundancy if this connection is disabled or overwhelmed. A DDoS attack, therefore, could cause heavy financial damage to Liberian companies that rely heavily on Internet operations. In a Friday blog post, Morey Haber, VP of technology at account and vulnerability management company BeyondTrust, pointed out that this critical fibre cable supports not just Liberia, but 23 African and European countries in total. “This opens up the possibility of this next-generation cyber weapon disrupting operations in these countries as well,” wrote Haber.

“Network operators in smaller countries typically have less international bandwidth available than in large countries,” said Roland Dobbins, principal engineer with the security engineering and response team at DDoS mitigation firm Arbor Networks, in an email interview with SC Media. “It's critical for ISPs in these countries to participate in the global operational security community in order to have the ability to request assistance from other ISPs worldwide in a crisis, and they should also have both an organic DDoS mitigation capability as well as an overlay DDoS mitigation capability.”

In the midst of the Liberia attacks, Botnet #14 launched a 60-second DDoS assault against MalwareTech's website and also sent a series of ominously threatening messages via one-second traffic bursts, which were picked up on the @MiraiAttacks Twitter feed. The messages – “uk.small”, “cctv.big”, “shadows.kill” and “Kevin.lies.in.fear” – may in part be aimed at Beaumont, who is based in the U.K. and was actively Tweeting about the attacks as they were happening. In response to the threatening language, Beaumont named the botnet Shadows Kill.

Beaumont wrote that the botnet's operators appeared to be testing Mirai's capabilities; however, theories have been mixed over the true nature of the attacks.

“There has been uninformed speculation recently about 'test attacks,' but it is not consistent with the operational reality of constant, 24/7 DDoS attacks which have become the norm on the Internet over the last two decades,” said Dobbins, separately noting that the Liberia attacks were substantially different in methodology from the Dyn attack.

Chris Carlson, VP of product management at network security solutions provider Qualys, also thinks it's unlikely that Shadows Kill is testing Mirai's limits, noting that Liberia is “multiple orders of magnitude less sophisticated than Dyn and would be overwhelmed by even basic botnet DDoS attacks. Normally, tests are stealthy and increasing in scope and impact, ramping up to a large public target.”

Instead, Carlson believes it's a demonstration of power, possibly by an entity that wants to ultimately exploit the botnet for financial gain in the same way ransomware distributors have extorted money from their victims. “The botnet owner is demonstrating that he wields an asset much more powerful than what currently exists, continued Carlson, in comments emailed to SC. “This can force victims to pay extortion to avoid being [attacked] in the first place, or it can force attacked victims to pay extortion faster to restore service.”

Justin Fier, director of cyber intelligence and analysis at cybersecurity firm Darktrace, sees two possible reasons for taking out Liberia: “to flex your muscles and show the strength of a botnet, or to test it and see how much bandwidth it is actually putting out.”

“A test attack on Liberia could mark the very beginning stages of a cyberwar,” Fier continued, in comments emailed to SC. If the attack on Liberia was indeed a 'test,' then the implications are even more pertinent in light of our current escalated cyber climate and the upcoming election.”

Sign up to our newsletters