Modern field guide to security and privacy

Massive botnet that crippled US web takes aim at Africa

Experts worry that the attackers behind the Mirai botnet are testing it out against Liberia before a larger scale attack on the US or Europe.

Thierry Gouegnon/Reuters
The city of Monrovia, Liberia, July 1, 2016. Picture taken July 1, 2016. REUTERS/Thierry Gouegnon

A series of cyberattacks in Liberia this week has security researchers worried that attackers are testing a powerful digital weapon before turning it on larger targets in the US and Europe

The punishing assaults are being launched from a botnet built using Mirai – a toolkit that allows attackers to assemble large attack networks, or botnets, from millions of internet-connected devices. The botnet directs web traffic from those devices at a target to overwhelm it with a distributed denial of service, or DDoS, attack.

In this case, up to 500 gigabits per second of traffic is being directed in short, intermittent bursts at the networks of the Liberian internet service providers (ISPs) that own the one cable connecting the country to the Internet, causing the networks to overload, according to British security researcher Kevin Beaumont.

The botnet size and volume suggests that whoever is behind the Liberian attack is also responsible for last month's DDoS attack against Dyn, a firm that provides a key piece of internet infrastructure. That attack caused disruptions for sites such as The New York Times, Amazon, PayPal, and Spotify.

The attacks in Liberia "are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state," said Mr. Beaumont. "So far it appears they are testing denial of service techniques."

Late Friday, however, some dispute emerged over the scope of the damage caused by the attacks in Liberia. Dyn, the company attacked last month, said it could not find evidence suggesting Liberia's entire internet was knocked offline. 

"While there may have been a DDoS attack against targets in Liberia, there is no evidence that the country was knocked offline," said Doug Madory, Dyn's director of internet analysis, in a statement. 

Akamai, another firm that manages internet traffic, has seen no evidence of a complete internet outage either, it noted.

Yet, the ongoing situation in Liberia appear to confirm earlier concerns about criminals using Mirai to build massive attack networks of comprised of home routers, digital video recorders, web cameras, and other so-called Internet of Things (IoT) devices. 

Security researchers have been worried about precisely such attacks ever since an unknown hacker publicly released Mirai this summer, making it possible for anyone to build IoT botnets relatively easily.

"The DDoS attack on Liberia seems to match earlier predictions about Mirai – or its owners – intentions: Start small, experiment, and continue testing capabilities on increasingly large and more interesting targets," said Jeremiah Grossman, chief of security strategy at the security firm SentinelOne.

"As for future likely targets, I can imagine other smaller and more notable countries – North Korea, for example – getting their internet connections 'stress' tested," Mr. Grossman said.

Twitter messages apparently posted by whoever is behind the Liberian attacks suggest interest in UK-based targets and in attacking researchers, according to Beaumont.

Theoretically, at least, an attack that could have US-wide impact similar to what some have said Libera is experiencing is possible, says John Pescatore, director of emerging security threats at the SANS Institute, a cybersecurity education organization. But, he said, US internet and tech firms also have many more protections in place for these kinds of attacks. 

Even so, he said, situations like what's going on in Liberia show why the federal government needs to encourage ISPs to routinely include DDoS filtering as part of their standard service, says Mr. Pescatore. "This could be either though regulation or the federal government using its buying power to require all ISPs selling to the federal government to include denial of service filtering.

There are some cybersecurity experts, however, who believe the attacks in Liberia are more about demonstrating the capabilities of the Mirai botnet. With just one cable connecting it to the rest of the world, Liberia presents a relatively easy target, but it's not an accurate simulation for the effectiveness of a cyberattack on the US or Europe. 

What’s likely happening instead is that whoever is behind the attacks wants to send another kind of message, said Chris Carlson, vice president of product management at of the firm Qualys.

"The botnet owner here could be demonstrating that he wields an asset much more powerful than what currently exists," he said. "This can force victims to pay extortion to avoid being [one] in the first place, or it can force attacked victims to pay extortion faster to restore service."

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Massive botnet that crippled US web takes aim at Africa
Read this article in
QR Code to Subscription page
Start your subscription today