In late 2016, having just completed our multi-year effort to tackle the huge Avalanche malware delivery platform, we were asked to support The German BKA investigation into the record breaking IoT-targeting Mirai botnet, by enumerating and sinkholing the large botnet instance known as “Mirai Botnet #14”. In addition to rapid sinkholing over Christmas 2016, we were also able to assist in identifying the suspect behind the attacks. Later we supported the UK National Crime Agency (NCA)’s investigation into linked offenses committed by the same botnet and actor.
The BKA opened their Mirai investigation in November 2016, after ~1 million Deutsche Telekom’s customer routers were temporarily disabled following a failed mass infection attempt, using a zero day exploit in the TR-069 router provisioning protocol. The BKA asked The Shadowserver Foundation to assist with technical support for their investigation. In addition to this, through our own research, we were able to corroborate attribution of the suspect behind the botnet.
A suspect called Daniel Kaye was arrested in the UK at Luton Airport by the NCA on February 22nd 2017 and initially extradited to Germany, where he was successfully prosecuted for the Deutsche Telekom offenses. He received a 20 month sentence, suspended for 3 years, and was extradited back to the UK.
Once back in the UK the suspect was charged with the extortion offenses, and Daniel Kaye became the first person ever to be charged in the UK under the Computer Misuse Act (CMA) offense for taking a country (Liberia) offline in November 2016. Daniel Kaye plead guilty to 3 charges laid against him in the UK before Christmas 2018.
The sentencing of Daniel Kaye took place in London on 11th January 2019. He received 32 months imprisonment for using his Mirai botnet to perform paid Distributed Denial of Services (DDOS) attacks against a Liberian telecommunications service provider, which effectively knocked much of Liberia offline.
The Shadowserver Foundation continue to sinkhole Botnet #14, as well as a number of other IoT botnets – but the sinkhole stats tell their own story, with a large spike being detected in observed Mirai IoT related infections in late November 2016:
The geographic distribution of those infected IoT devices also varied wildly by country over a small number of days, as huge Mirai botnets were rapidly created and lost:
Sinkhole data from known IoT botnets, such as Mirai, is available each day in Shadowserver’s free of charge daily reports to national CERTs and network owners.
UK NCA commentry on the successful arrest and prosecution of “hacker for hire” Daniel Kaye: