V. Yakobchuk - Fotolia
Nearly a week after domain name system provider Dyn was hit by a massive DNS DDoS attack, disrupting access to much of the internet for users throughout the Northeast U.S., experts are suggesting the attacks were not caused by a state actor and public claims of responsibility so far are unlikely to be true.
Researchers at the New York-based cybersecurity company Flashpoint provided more details, as well as some suggestions relating to attack attribution.
"Despite public speculation, Flashpoint assesses with a moderate degree of confidence that the perpetrators behind this attack are most likely not politically motivated and most likely not nation-state actors," security researchers at the company wrote.
Director of National Intelligence James Clapper, speaking Tuesday at a Council on Foreign Relations event, agreed with that assessment. He said, "The investigation is still going on. There's a lot of data to be gathered here," but noted the preliminary results of that investigation point to a nonstate actor as the cause for the Dyn DNS distributed denial-of-service (DDoS) attacks.
Flashpoint's analysis of the event noted the affected sites were mostly located in the Northeast U.S. at first, though other areas of the country were affected later on. Sites affected included PayPal, Twitter, Reddit, GitHub, Amazon, Netflix, Spotify and RuneScape.
During the event, Flashpoint was "able to confirm that at least one portion of the attack was initiated by a Mirai command-and-control server," though Flashpoint debunked three high-profile claims of responsibility for the attacks: "Flashpoint assesses with medium confidence that each of these claims is dubious and likely to be false."
The first claim was made by gray-hat hacker The Jester, who defaced the website of the Russian Foreign Ministry on Oct. 22, and later blamed Russia for the Dyn DNS DDoS attack, as well as for the hack of the Democratic National Committee and interference in this year's U.S. presidential election. Flashpoint also debunked a claim by the hacker group New World Hackers, as well as suggestions that WikiLeaks supporters had something to do with the attack after WikiLeaks tweeted a request to its supporters to "stop taking down the U.S. internet."
Mr. Assange is still alive and WikiLeaks is still publishing. We ask supporters to stop taking down the US internet. You proved your point. pic.twitter.com/XVch196xyL— WikiLeaks (@wikileaks) October 21, 2016
The Flashpoint researchers also noted the perpetrators were likely not financially or politically motivated. "Flashpoint assesses with moderate confidence that the most recent Mirai attacks are likely connected to the English-language hacking forum community, specifically users and readers of the forum 'hackforums.net,'" wrote Flashpoint's Allison Nixon, director of security research; John Costello, senior analyst for cyber and East Asia; and Zach Wikholm, research developer. "The personalities involved in these communities are known for creating and using commercial DDoS tools, called 'booters' or 'stressers.' The hackers offer these services online for pay, essentially operating a 'DDoS-for-hire' service."
Find out more about the DDoS attack against GitHub linked to the Chinese government.
Read about creating a cloud DDoS protection plan.