Get Our NewsletterWIRED’s biggest stories delivered to your inbox. 2016 came to a quiet conclusion Friday in an Anchorage courtroom, as three young American computer savants pleaded guilty to masterminding an unprecedented botnet—powered by unsecured internet-of-things devices like security cameras and wireless routers—that unleashed sweeping attacks on key internet services around the globe last fall. Then, on a Friday afternoon in Hacked servers for minecraft 2016, the internet slowed or stopped for nearly the entire eastern United States, as the tech company Dyn, a key part of the internet’s backbone, came under a crippling assault.
As the 2016 US presidential election drew near, fears began to mount that the so-called Mirai botnet might be the work of a nation-state practicing for an attack that would cripple the country as voters went to the polls. Originally, prosecutors say, the defendants hadn’t intended to bring down the internet—they had been trying to gain an advantage in the computer game Minecraft. FBI supervisory special agent Bill Walton. Unraveling the whodunit of one of the internet’s biggest security scares of 2016 led the FBI through a strange journey into the underground DDoS market, the modern incarnation of an old neighborhood mafia-protection racket, where the very guys offering to help today might actually be the ones who attacked you yesterday.
Then, once the FBI unraveled the case, they discovered that the perpetrators had already moved onto a new scheme—inventing a business model for online crime no one had ever seen before, and pointing to a new, looming botnet threat on the horizon. At the time, FBI special agent Elliott Peterson was part of a multinational investigative team trying to zero in on two teens running a DDoS attack-for-hire service known as vDOS. It was a major investigation—or at least it seemed so at the time. They didn’t realize the power they were unleashing. VDOS was an advanced botnet: a network of malware-infected, zombie devices that its masters could commandeer to execute DDoS attacks at will.
And the teens were using it to run a lucrative version of a then-common scheme in the online gaming world—a so-called booter service, geared toward helping individual gamers attack an opponent while fighting head-to-head, knocking them offline to defeat them. Yet as that case proceeded, the investigators and the small community of security engineers who protect against denial-of-service attacks began to hear rumblings about a new botnet, one that eventually made vDOS seem small. As Peterson and industry colleagues at companies like Cloudflare, Akamai, Flashpoint, Google, and Palo Alto Networks began to study the new malware, they realized they were looking at something entirely different from what they’d battled in the past. Whereas the vDOS botnet they’d been chasing was a variant of an older IoT zombie army—a 2014 botnet known as Qbot—this new botnet appeared to have been written from the ground up. Doug Klein, Peterson’s partner on the case. The new malware scanned the internet for dozens of different IoT devices that still used the manufacturers’ default security setting. Since most users rarely change default usernames or passwords, it quickly grew into a powerful assembly of weaponized electronics, almost all of which had been hijacked without their owners’ knowledge.
The security industry was really not aware of this threat until about mid-September. It’s really powerful—they figured out how to stitch together multiple exploits with multiple processors. They crossed the artificial threshold of 100,000 bots that others had really struggled with. It didn’t take long for the incident to go from vague rumblings to global red alert. Mirai shocked the internet—and its own creators, according to the FBI—with its power as it grew.
Researchers later determined that it infected nearly 65,000 devices in its first 20 hours, doubling in size every 76 minutes, and ultimately built a sustained strength of between 200,000 and 300,000 infections. It’s the most successful IoT botnet we’ve ever seen—and a sign that computer crime isn’t just about desktops anymore. Mirai infections were Brazil, Colombia, Vietnam, and China, according to researchers. At its peak, the self-replicating computer worm had enslaved some 600,000 devices around the world—which, combined with today’s high-speed broadband connections, allowed it to harness an unprecedented flood of network-clogging traffic against target websites. No one had any idea yet who its creators were, or what they were trying to accomplish. On September 19, 2016, the botnet was used to launch crushing DDoS attacks against French hosting provider OVH. DOS had been overwhelming targets with attacks in the range of 50 Gbps.
A follow-on Mirai attack against OVH hit around 901 Gbps. And no one had any idea yet who its creators were, or what they were trying to accomplish. Mirai was the first botnet I’ve seen that hit that existential level. Through September, the inventors of Mirai tweaked their code—researchers were later able to assemble 24 iterations of the malware that appeared to be primarily the work of the three main defendants in the case—as the malware grew more sophisticated and virulent.