A federal court in Alaska unsealed records Tuesday showing that a number of young men have entered plea agreements over their alleged roles in a huge, malicious network of internet-of-things devices. Mirai, as the botnet was known, was used in massive attacks throughout 2016.
Josiah White, who used the hacker handles Lightspeed and thegenius, helped create the Mirai botnet, according to court documents. A second man, Paras Jha, whom cybersecurity reporter Brian Krebs also previously linked to Mirai, has also entered a plea agreement.
The news signals arrests of those allegedly linked to one of the more significant developments in recent cybersecurity history: the leveraging of increasingly pervasive, internet-connected devices to launch attacks unprecedented in scale that could even disrupt some of the biggest sites on the internet.
According to the pair’s plea agreements, their roles in Mirai started in August 2016, when White and Jha set out to create a network of hacked machines. Specifically, White created the “scanner” part of Mirai, which hunted for vulnerable devices across the internet to penetrate. Meanwhule, Jha, who operated under the monikers ogmemes and Anna Senpai, wrote code with his co-conspirators to control and direct devices infected with the Mirai malware, his plea agreement states. In the end, White and others infected hundreds of thousands of connected devices, court records state. Many of these devices were internet-enabled security cameras.
“White and his co-conspirators built the botnet in order to [...] create a weapon capable of initiating powerful denial of service attacks against business competitors and others against whom White and his co-conspirators held grudges against,” White’s plea agreement reads. The group also built the botnet so as to rent it out for a profit, and extort hosting companies and other targets, according to the court documents.
White and Jha then used the Mirai botnet to launch distributed-denial-of-service (DDoS) attacks, which flood a target with so much traffic that it crawls to a halt, against a number of U.S. based hosting companies, the agreement states.
Although the agreements do not name any particular victims, in September the owners of Mirai pointed their botnet at Krebs’ news site, bringing it down in a record-breaking DDoS attack. The Mirai owners also bombarded OVH, a popular hosting company.
One version of Mirai was used in October 2016 in an attack against Dyn, a domain name service (DNS) provider, which helps route visitors’ requests to certain websites. This had a knock-on effect for dozens of highly popular sites, such as Twitter, Netflix, Reddit, CNN, and many more. However, that Mirai botnet was not the same as the one allegedly driven by these defendants, Krebs reported.
Jha also developed a botnet’s “clickfraud” abilities, in which hacked machines are used to create clicks en masse and to generate revenue, according to another court record. A third defendant, Dalton Norman, also participated in the click fraud scam, another plea agreement adds.
Records add that Jha and his co-conspirators targeted home internet routers and earned around 100 bitcoin, or approximately $180,000 at the time, and also worked to uncover so-called zero-day vulnerabilities—issues with hardware or software that can be exploited without the affected vendor’s knowledge.
According to his plea agreement, Jha purposefully tried to conceal evidence from law enforcement, and wiped data that he used to run Mirai on his machine. Jha then posted the Mirai code online on a low-level hacking forum, “in order to create plausible deniability if law enforcement found the code on computers controlled by Jha or his co-conspirators,” the agreement adds.
A spokesperson for the Department of Justice said the department will issue statements when all cases are unsealed Wednesday, indicating that charges against others are to follow.