Some have worried that the massive cyber-attack that disrupted the Internet on Friday was the work of Russian government-backed hackers, politically motivated hacktivists or sophisticated cyber-criminals. But researchers at cyber-intelligence firm Flashpoint say the Internet meltdown may have been carried out by amateurs who haunt a popular hacking forum.
Flashpoint helped Web service provider Dyn determine that hacked Internet-connected devices were involved in the attack. If Flashpoint is right, the attack shows that even hobbyists can cripple the Internet’s fragile infrastructure. When asked about Flashpoint’s research, Dyn pointed to blog post on its site Wednesday that said it’s “collaborating in an ongoing criminal investigation of the attack and will not speculate regarding the motivation or the identity of the attackers.”
The code for the malware Mirai, which was used in Friday’s attack, was posted roughly a month ago on an online community called HackForums.net by a hacker using the handle “Anna-Senpai,” as first reported by security journalist Brian Krebs. The same user is believed to be the person behind earlier attacks using Internet of Things devices controlled by Mirai, which last month targeted Krebs’ website and a French cloud provider called OVH, according to Flashpoint.
Once the code was let loose online, almost anyone could have used it or tweaked it for their own purposes, said Ben Herzberg, a security research manager at cyber-security firm Imperva. But Flashpoint said its assessment points to HackForums users. People posting on the site regularly trade tips on malware, and some users have created tools that can launch digital assaults similar to the one that hit Dyn on Friday. Some even offer to carry out cyber-attacks for a price, according to Flashpoint.
The operators of the HackForums site did not immediately respond to a request for comment on Flashpoint’s claims.
HackForums users frequently target video game networks as a way to get attention and prove their skills, the cyber-security firm said. Members have been linked to the hacking group that claimed responsibility for knocking the PlayStation and Xbox networks offline on Christmas Day in 2014.
According to a Tuesday blog post, Flashpoint discovered that the same infrastructure used to attack Dyn was also used to target “a well-known video game company.” A post on HackForums claims the original target of Friday’s attack was the PlayStation Network and that Dyn was essentially collateral damage. Sony did not immediately respond to a request for comment on that claim.
Those clues point to amateur hackers – commonly known in hacker circles as “script kiddies” – as the culprits behind the Friday attack, according to Flashpoint.
“The technical and social indicators of this attack align more closely with attacks from the [HackForums] community than the other type of actors that may be involved, such as higher-tier criminal actors, hacktivists, nation-states, and terrorist groups,” the Flashpoint researchers wrote.
Other experts agree with Flashpoint’s assessment. “I think they are right. I don’t believe the Friday attackers were financially or politically motivated,” said Mikko Hypponen, chief research officer at cyber-security firm F-Secure. “It was such an untargeted attack, it’s hard to find a good motive for it. So, kids.”