The massive DDoS attack that disrupted the internet address-lookup service Dyn last week was perhaps pulled off by a script kiddie targeting PlayStation Network and using Mirai malware to assemble a massive IoT botnet, according to research by Flashpoint.
“Flashpoint assesses with moderate confidence that the most recent Mirai attacks are likely connected to the English-language hacking forum community, specifically uses and reads of the forum “hackforums.net,” according to a blog by Allison Nixon, director of security research at Flashpoint.
She says the company has discovered the infrastructure used in the Dyn attack also targeted “a well-known video game company” that she doesn’t name. A post on hackforums.net seems to agree with this possibility. It indicates the target was PlayStation Network and that Dyn was hit because it provides DNS services to PSN. Going after the name servers (NS) that provide lookups for PSN would prevent traffic from reaching PSN.
The hackerforum.com post reads: “this is funny, only because they didnt actually attk DYN fun fact DYN was never intentionally attkd until later that day PSN was the target (bf1 release) they used DYN's ns: ns00.playstation.net, ns01.playstation.net, ns02.playstation.net etc.” This was posted by someone with the screen name qbotwithasupermicroontop.
Nixon writes that one actor who claims to be behind distribution of Mirai – screen name Anna-Senpai – also participates in these hacker forums. “The hackers that frequent this forum have been previously known to launch these types of attacks, though at a much smaller scale,” she writes.
These factors combine to make her think it’s likely someone on hackerforums.net behind the Dyn attack, she says. “These hackers exist on their own tier, sometimes called ‘script kiddies,’ and are separate and distinct from hactivists, organized crime, state-actors, and terrorist groups,” according to the blog.
Political actors, criminals and terrorists don’t fit the bill, she says, because they usually have readily discoverable political, financial or strategic goals, “and they are very unlikely to launch an attack against a video game company.”
There have been no public indicators of extortion against Dyn, which would indicate criminals. Since Dyn serves a broad range of customers, knocking out its service “does not disproportionately affect any one political entity, so she rules out political actors.
Nick Kephart, network outage analyst at ThousandEyes, says Nixon’s analysis sounds plausible, although firing off an enormous amount of DDoS traffic at Dyn to affect just one customer is overkill. A smaller attack against the specific customer would have been more efficient, he says, and likely would have been an easier target. Plus Dyn is one of the best suited internet organizations in the world to defend itself against DDoS attacks, he says.
Sign up for Computerworld eNewsletters.