Massive botnet that crippled US web takes aim at Africa

Experts worry that the attackers behind the Mirai botnet are testing it out against Liberia before a larger scale attack on the US or Europe.

A series of cyberattacks in Liberia this week has security researchers worried that attackers are testing a powerful digital weapon before turning it on larger targets in the US and Europe

The punishing assaults are being launched from a botnet built using Mirai – a toolkit that allows attackers to assemble large attack networks, or botnets, from millions of internet-connected devices. The botnet directs web traffic from those devices at a target to overwhelm it with a distributed denial of service, or DDoS, attack.

In this case, up to 500 gigabits per second of traffic is being directed in short, intermittent bursts at the networks of the Liberian internet service providers (ISPs) that own the one cable connecting the country to the Internet, causing the networks to overload, according to British security researcher Kevin Beaumont.

The botnet size and volume suggests that whoever is behind the Liberian attack is also responsible for last month's DDoS attack against Dyn, a firm that provides a key piece of internet infrastructure. That attack caused disruptions for sites such as The New York Times, Amazon, PayPal, and Spotify.

The attacks in Liberia "are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state," said Mr. Beaumont. "So far it appears they are testing denial of service techniques."

Late Friday, however, some dispute emerged over the scope of the damage caused by the attacks in Liberia. Dyn, the company attacked last month, said it could not find evidence suggesting Liberia's entire internet was knocked offline. 

"While there may have been a DDoS attack against targets in Liberia, there is no evidence that the country was knocked offline," said Doug Madory, Dyn's director of internet analysis, in a statement. 

Akamai, another firm that manages internet traffic, has seen no evidence of a complete internet outage either, it noted.

Yet, the ongoing situation in Liberia appear to confirm earlier concerns about criminals using Mirai to build massive attack networks of comprised of home routers, digital video recorders, web cameras, and other so-called Internet of Things (IoT) devices. 

Security researchers have been worried about precisely such attacks ever since an unknown hacker publicly released Mirai this summer, making it possible for anyone to build IoT botnets relatively easily.

"The DDoS attack on Liberia seems to match earlier predictions about Mirai – or its owners – intentions: Start small, experiment, and continue testing capabilities on increasingly large and more interesting targets," said Jeremiah Grossman, chief of security strategy at the security firm SentinelOne.

"As for future likely targets, I can imagine other smaller and more notable countries – North Korea, for example – getting their internet connections 'stress' tested," Mr. Grossman said.

Twitter messages apparently posted by whoever is behind the Liberian attacks suggest interest in UK-based targets and in attacking researchers, according to Beaumont.

Theoretically, at least, an attack that could have US-wide impact similar to what some have said Libera is experiencing is possible, says John Pescatore, director of emerging security threats at the SANS Institute, a cybersecurity education organization. But, he said, US internet and tech firms also have many more protections in place for these kinds of attacks. 

Even so, he said, situations like what's going on in Liberia show why the federal government needs to encourage ISPs to routinely include DDoS filtering as part of their standard service, says Mr. Pescatore. "This could be either though regulation or the federal government using its buying power to require all ISPs selling to the federal government to include denial of service filtering.

There are some cybersecurity experts, however, who believe the attacks in Liberia are more about demonstrating the capabilities of the Mirai botnet. With just one cable connecting it to the rest of the world, Liberia presents a relatively easy target, but it's not an accurate simulation for the effectiveness of a cyberattack on the US or Europe. 

What’s likely happening instead is that whoever is behind the attacks wants to send another kind of message, said Chris Carlson, vice president of product management at of the firm Qualys.

"The botnet owner here could be demonstrating that he wields an asset much more powerful than what currently exists," he said. "This can force victims to pay extortion to avoid being [one] in the first place, or it can force attacked victims to pay extortion faster to restore service."