Flashpoint Intel released a brief after action report on Tuesday, outlining some of their observations following Friday’s DDoS attack against Dyn Inc., which affected traffic to a number of high-level domains.
Among the report’s findings is that Friday’s attack was the work script kiddies (amateurs), not a nation state actor.
Friday’s attack against Dyn Inc. was felt almost immediately after it started at 07:00 a.m. EST.
Visitors to PayPal, Twitter, Reddit, Amazon, Netflix, games like RuneScape, or music services such as Spotify, reported outages. Around this time, Dyn Inc. reported a sustained DDoS attack that was impacting their customers, the first of two that the company would experience that day.
The Mirai botnet is made up of compromised consumer devices such as routers, DVR systems, and IP cameras. There are millions of these devices online, and during Friday’s attack Dyn Inc. reported that tens of millions of IP addresses were hitting their systems.
In their report on Tuesday, Flashpoint again said that while the Mirai botnet was used in Friday’s attack, the command and control server managing the botnet was “separate and distinct” from those used in the previous Mirai attacks against OVH and journalist Brian Krebs.
After the attack was mitigated early Friday evening, several people and groups claimed responsibility. Wikileaks blamed their supporters, “The Jester” blamed Russia – but to be fair, so did everyone else – and a group calling themselves the New World Hackers say they were behind the attack.
Flashpoint dismissed each of their claims, looking instead towards a group of amateurs, or script kiddies, that lurk on Hack Forums.
“In its investigation of Dyn DDoS attacks, Flashpoint discovered that the infrastructure used in the attack also targeted a well-known video game company. While there does not appear to have been any disruption of service, the targeting of a video game company is less indicative of hacktivists, state-actors, or social justice communities, and aligns more with the hackers that frequent online hacking forums,” the report says.
Again, more directly, Flashpoint says that those responsible for Friday’s attack are likely regulars on Hack Forums, because the community there is known for developing DDoS tools (stressers / booters). Moreover, a Hack Forums member developed, and later released the Mirai source code.
“The hackers that frequent this forum have been previously known to launch these types of attacks, though at a much smaller scale,” Flashpoint explained.
“The technical and social indicators of this attack align more closely with attacks from the [Hack Forums] community than the other type of actors that may be involved, such as higher-tier criminal actors, hacktivists, nation-states, and terrorist groups. These other types of threat actors are unlikely to launch such an attack without a clear financial, political, or strategic objective, and they are very unlikely to launch an attack against a video game company.”
Flashpoint said that given the lack of indicators suggesting extortion – attempted or not – against Dyn Inc., or any of the other websites impacted by Friday’s attack, they’re confident that wasn’t the motive. Additionally, the broad scope of the attack’s impact also doesn’t lend itself to political motivations either, the report says.