A “digital nuclear attack”. A “zombie apocalypse”. “The end of history. “

Much has been made of Mirai, the recently discovered malware that incorporates Internet of Things (IoT) devices into botnets capable of conducting the largest distributed denial of service (DDoS) attacks measured to date. Some reports have focused on the in-depth technical detail behind the malware, while others have taken the hyperbolic route – cue images of zombie fridges and the impending digital Armageddon.

But what hasn’t really been explored is Mirai’s potential impact on the activities of particular threat actor groups. Our latest whitepaper forecasts the threat posed by these different groups. This blog focuses on one group in particular, hacktivists.

Although some hacktivist attacks have been impactful, most are low-level, unsubstantiated, and result in minimal disruption to targeted organizations. Hacktivists have high levels of intent, though often lack the technical capability to back this up.

Mirai, however, could be a game-changer for hacktivism. In late September the malware’s source code was posted online and was freely available to download. Since then a link to a GitHub repository containing the source code has been posted to an OpIcarus Facebook page (see Figure 1 below).

 Mirai OpIcaurs

Figure 1: Mirai source code posted to OpIcarus Facebook page

In the context of hacktivism, these developments are significant for two reasons:

1. Stronger more impactful attacks – Hacktivists are usually motivated by a mix of ideological concerns and a desire to show off their power. Mirai would be an ideal means to achieve the latter. The attack on Brian Krebs had a peak volume of 620 Gbps, while that on the France-based internet service provider OVH reportedly measured over 1.5 Tbps. Hacktivist operations that have previously been seen as presenting only a very low threat may now take on added significance if participants are armed with IoT botnets.

2. Changing tactics – The attacks on Brian Krebs, OVH and DynDNS underlined Mirai’s ability to cause a significant disturbance to these services, and this disruptive capability might allow hacktivist actors to perform more sophisticated operations in future.

The attack against the Sony Playstation Network in 2011 resulted in the company taking the network offline for a number of days and the theft of personal data belonging to 77 million customers. It later transpired that PlayStation had been bombarded with DDoS attacks which made it more difficult for them to detect the intrusion. A powerful Mirai attack that renders a targeted site offline for a considerable amount of time could therefore be used as a smokescreen for a number of other types of attack – such as SQL injection to steal data or even alongside physical protests. Some may even begin extortion activities as the fear of Mirai could allow hacktivists to solicit funds from their victims or blackmail them into placating their particular cause.

While the above may sound ominous, we should not make the mistake of thinking we’re on a one-way road to perdition. We should bear in mind the following:

1. A certain level of technical capability is still needed to operate Mirai

Although the source code has been released publicly, this does not necessarily mean that any individual can simply pick it up and launch a high-volume DDoS attack. Even before Mirai, many hacktivists sought the aid of stresser and booter services to help them launch DDoS attacks as they were unable to do so themselves. These services are likely to remain popular among novice users as they often provide real-time assistance and troubleshooting features, with some level of anonymity. A number of discussions we’ve detected on hacking forums already show that novice users are struggling to make use of Mirai, and that fellow users have not been so forthcoming in sharing their secrets.

Mirai Hackforums1

 Mirai Hackforums2

Figure 2: Desperate Mirai users on HackForums

Despite this, “Mirai-as-a-service” offerings have already been detected – indicating that cybercriminals are attempting to monetize their Mirai capabilities in similar fashion to stresser and booter services. It remains to be seen, however, whether these become popular and if they even function as advertised.

2. Land of plenty? Attackers are in competition for the IoT resource pool

The original Mirai variant was believed to be able to target between 200,000 – 500,000 devices. A more recent variant, however, dubbed ‘Annie’ by its creator, can allegedly infect up to five million vulnerable devices. Though these estimates are concerning, we shouldn’t assume that attackers are inhabiting a socialist utopia where devices are freely available and shared for public use.

Instead, attackers are competing directly with each other for control of these devices, which means it’s likely a few select individuals or groups are able to operate the largest botnets. Already there have been reports that the competition for devices has fractured Mirai’s power, creating a series of smaller botnets capable of smaller attacks. Attackers are now furiously searching for new infection vectors to gain an advantage over their competitors. Since the release of the Mirai source code, there have been reports of new Mirai variants that target new devices using different techniques. So although high-volume attacks are still a threat, the competition over the IoT resource pool will limit the ability of hacktivists to commandeer the most powerful botnets.

3. Extortion threats are often hollow

There will be a number of actors who will hope that targets will not call their bluff for threat of Mirai. Users of the Web Hosting Talk forum reported receiving Mirai extortion emails demanding a ransom of two Bitcoin (approximately $1320 USD). These appear to have been empty threats, with no attacks taking place after expiry of the stated 96 hour window.

Mirai Extortion Senpai

Figure 3: Extortion email threatening a Mirai attack [Source: Web Hosting Talk]

It may be too early to state with complete confidence whether or not Mirai will change the practice of hacktivism. By continuing to monitor developments within the hacktivist community, however, and by forecasting what the post-Mirai landscape might look like in future, we can better prepare ourselves for these eventualities.