Technology / Hackers that took down major websites ‘were script kiddies, not nation state’

Hackers that took down major websites ‘were script kiddies, not nation state’

The distributed denial of service (DDoS) attack on DNS provider Dyn that brought down parts of the internet last week was likely the work of amateur hackers, according to security cyber experts.

Researchers from Flashpoint said "with a moderate degree of confidence" that the attackers were not politically-motivated or working on behalf of a nation state.

Despite various hackers and organisations claiming some level of responsibility for the attack, the report said these are "dubious and likely to be false".

Instead, it said the infrastructure behind the attack suggested that it was the work of "script kiddies" that had previously targeted a video games company.

"The technical and social indicators of this attack align more closely with attacks from the Hackforums community than the other type of actors that may be involved, such as higher-tier criminal actors, hacktivists, nation states and terrorist groups," the researchers said.

"These other types of threat actors are unlikely to launch such an attack without a clear financial, political or strategic objective, and they are very unlikely to launch an attack against a video game company.

"Participants in the Hackforums community have been known to launch DDoS attacks against video game companies to show off their credentials as hackers of skill, or to 'troll' and gain attention by causing disruption to popular services."

The attack against Dyn used a Mirai botnet of infected Internet of Things devices, but Flashpoint determined that its command and control centre was “separate and distinct” from that used in attacks on Krebs on Security and hosting provider OVH.

The incident affected the availability of some of the internet’s most popular websites and services, including Amazon, Spotify, Netflix, Twitter, Reddit, Github and Etsy.

“The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations,” Dyn said at the time.

“We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks was¬†devices infected by the Mirai botnet.

“We observed tens of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”

Chinese firm Hangzhou Xiongmai Technology recalled some of its products, including webcams, which were linked to the botnet used in the attacks because of their reportedly poor security and easy-to-guess default passwords.

For more on the analysis, see Flashpoint’s blog post.



Get our latest features in your inbox

Join our community of business leaders