Three men have pleaded guilty in US federal court to charges related to the creation of the Mirai Internet of Things botnet malware, variants of which have been used in a series of debilitating distributed denial of service (DDoS) attacks since 2016.
On Wednesday, 13 December, the US Department of Justice unsealed a series of plea deals and criminal information detailing the role of the three defendants: Paras Jha, 21, of Fanwood, N.J.; Josiah White, 20, of Washington, Pennsylvania.; and Dalton Norman, 21, of Metairie, Louisiana.
According to a DOJ release, White, Jha, and Norman created the botnet in the summer and autumn of 2016, recruiting as many as 300,000 compromised IoT devices, including wireless cameras, routers, and digital video recorders, before using them to flood their targets with DDoS traffic.
Apparently among the defendants' victims was security researcher Brian Krebs, whose KrebsonSecurity website was besieged with 620 Gbps worth of Mirai-spawned IoT-based traffic on 20 September 2016. In January 2017, following an intensive and painstaking investigation, Krebs named Jha as the likely suspect.
Jha, a former Rutgers University student who referred to himself as Anna-Senpai on hacker forums, released Mirai's source code in the days following the attack on Krebs. This action led to others individuals leveraging versions of the malware to launch additional attacks, including one targeting the Domain Name System provider Dyn that disabled many popular websites on 21 October 2016. The DOJ did not charge Jha in relation to this incident.
According to Krebs, Jha was the president of a DDoS protection company specialising in defending Minecraft servers. Krebs has alleged, citing numerous inside sources, that the company was responsible for launching DDoS attacks against fellow competitors to frustrate their customers and ultimately steal their business away.
In the same vein, Jha's Mirai information document states that the defendant in August 2016 directed a Mirai-based DDoS attack at a US-based company and demanded money in return for stopping it.
Authorities also state that the defendants rented access to their botnet, allowing other cyber-criminals to launch their own attacks, which damaged targeted servers and even those in close logical proximity. “In fact, one feature of Mirai was the ability to conduct attacks against entire ranges of IPs, meaning that a victim's entire network would be affected. This feature, in conjunction with the very large size of the Mirai botnet, rendered useless many methods that are used to mitigate DDOS attacks, meaning that the attacks were capable of causing more network disruption than would be experienced in attacks by other DDoS services,” Jha's Mirai criminal information document reads.
Krebs reported back in January that White, aka LiteSpeed, was another employee at ProTraf, who admitted playing a key role in the creation of the Linux-based DDoS malware Bashlite or Qbot, but claimed he was blackmailed into sharing his code with a fellow dark web forum member, who was actually responsible for selling and trading the code online.
In its release, the DOJ announced that on 8 December, all three defendants pleaded guilty in Alaskan District Court to conspiracy to violate the Computer Fraud & Abuse Act – a crime punishable by a maximum of five years in prison. During the same proceedings, Jha and Norman also pleaded guilty to a second charge of conspiracy to violate the Computer Fraud & Abuse Act for a separate scheme to infect over 100,000 primarily U.S.-based computing devices with botnet malware, used to perpetrating advertising fraud, including click fraud.
“The Mirai and Clickfraud botnet schemes are powerful reminders that as we continue on a path of a more interconnected world, we must guard against the threats posed by cyber-criminals that can quickly weaponise technological developments to cause vast and varied types of harm,” said Acting Assistant Attorney General John Cronan, in the DOJ release. “The Criminal Division will remain constantly vigilant in combating these sophisticated schemes, prosecuting cyber-criminals, and protecting the American people.”
On 13 December in the US District of New Jersey, Jha alone pleaded guilty again to violating the US Computer Fraud & Abuse Act in relation to a series of DDoS attacks he launched on Rutgers University's networks from November 2014 to September 2016. These attacks effectively disabled the school's central authentication server, which maintained a portal used by staff, faculty and students for assignments and assessments.
“Paras Jha has admitted his responsibility for multiple hacks of the Rutgers University computer system,” said Acting US Attorney William Fitzpatrick, in the DOJ release. “These computer attacks shut down the server used for all communications among faculty, staff and students, including assignment of course work to students, and students' submission of their work to professors to be graded. The defendant's actions effectively paralysed the system for days at a time and maliciously disrupted the educational process for tens of thousands of Rutgers' students. Today, the defendant has admitted his role in this criminal offence and will face the legal consequences for it.”