The three men accused of creating and operating the Mirai botnet have pleaded guilty to federal charges.
The Department of Justice announced Wednesday it had unsealed the guilty pleas of Paras Jha, age 21, of Fanwood, N.J.; Josiah White, 20, of Washington, Pa.; and Dalton Norman, 21, of Metairie, La., on charges of "conspiracy to violate the Computer Fraud and Abuse Act in operating the Mirai botnet."
According to the DoJ, the three Mirai creators built the botnet during the summer and fall of 2016 before unleashing the first wave of Mirai attacks, which at its peak was generating DDoS attacks from hundreds of thousands of vulnerable IoT devices.
"The defendants used the botnet to conduct a number of powerful distributed denial-of-service, or 'DDoS' attacks, which occur when multiple computers, acting in unison, flood the internet connection of a targeted computer or computers," the DoJ wrote in a statement. "The defendants' involvement with the original Mirai variant ended in the fall of 2016, when Jha posted the source code for Mirai on a criminal forum. Since then, other criminal actors have used Mirai variants in a variety of other attacks."
Jha and Norman were separately charged with and pleaded guilty to infecting more than 100,000 devices between December 2016 and February 2017 with "malicious software," but did not specifically attribute these attacks to Mirai. The DoJ announcement accused the Mirai creators with making a botnet "used primarily in advertising fraud, including 'click fraud' ... for the purpose of artificially generating revenue," and it is unclear if this botnet was separate from Mirai or not.
"Our world has become increasingly digital, and increasingly complex," U.S. Attorney Bryan D. Schroder said in the DoJ statement. "Cybercriminals are not concerned with borders between states or nations, but should be on notice that they will be held accountable in Alaska when they victimize Alaskans in order to perpetrate criminal schemes. The U.S. Attorney's Office, along with our partners at the FBI and Department of Justice's Computer Crime and Intellectual Property Section, are committed to finding these criminals, interrupting their networks, and holding them accountable."
Jha alone also pleaded guilty to a series of attacks against the Rutgers University network -- where Jha was a student -- between November 2014 and September 2016.
Mirai creator attribution
Early reports following the Mirai botnet attacks, including the Dyn DDoS incident, attempted to attribute the attack to nation-state actors and foreign adversaries. However, in January 2017 Brian Krebs, cybersecurity journalist and investigator, identified Jha and White as likely being the Mirai creators. It is unclear how his investigation played a part in the DoJ charges. Krebs was one of the first known victims of the Mirai DDoS attacks.
Lesley Carhart, security incident response team lead at Motorola Solutions, said on Twitter that this case against the Mirai creators should be a moment to realize "attribution is complex."
I could write a chapter of a threat intelligence about the misattribution of Mirai based on individual indicators. Almost everyone who named a country or organization of origin was way off.— Lesley (@hacks4pancakes) December 13, 2017