Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware. Mirai botnets were previously used in DDoS attacks against security researcher Brian Krebs’ blog “Krebs On Security” and French internet service and hosting provider OVH. Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks.
While Flashpoint has confirmed that Mirai botnets were used in the October 21, 2016 attack against Dyn, they were separate and distinct botnets from those used to execute the DDoS attacks against “Krebs on Security” and OVH. Earlier this month, “Anna_Senpai,” the hacker operating the large Mirai botnet used in the Krebs DDoS, released Mira’s source code online. Since this release, copycat hackers have used the malware to create botnets of their own in order to launch DDoS attacks.
It is unknown if the attacks against Dyn DNS are linked to the DDoS attacks against Krebs, OVH, or other previous attacks. Given the proliferation of the Mirai malware, the relationship between the ongoing Dyn DDoS attacks, previous attacks, and “Anna_Senpai” is unclear.
As of 17:30 EST, the attacks against Dyn DNS are still ongoing. Flashpoint is coordinating with multiple vendors and law enforcement to track the infected devices that constitute the botnet being used to conduct these attacks. Flashpoint will continue to monitor the situation to ensure that our clients are provided with timely threat intelligence data.