The collection of millions of hacked computers known as Aisuru and Kimwolf were used to launch some of the biggest distributed denial of service (DDoS) attacks never seen. Today, U.S. law enforcement erased them both from the Internet, along with two other hordes of hacked computers, known as botnets, in a single takedown.
On Thursday, the U.S. Department of Justice, working with the Defense Department’s cybercrime agency known as the Defense Criminal Investigative Service, announced that it had taken down four massive botnets in a single operation, taking down the command-and-control servers used to commandeer the hacker-led armies of compromised devices known as JackSkid, Mossad, Aisuru and Kimwolf. Together, the operators of the four botnets accumulated more than 3 million devices, the Justice Department said, and often sold access to those devices to other criminal hackers and also used them to target their victims with massive streams of attack traffic aimed at knocking websites and Internet services offline.
Aisuru and Kimwolf, a separate botnet but linked to Aisuru, together had more than a million devices, according to DDoS defense company CloudflareAisuru infecting a variety of devices ranging from DVRs to network devices to webcams, and its offshoot Kimwolf infecting Android devices including smart TVs and set-top boxes. Cloudflare claims that the two botnets, working together, carried out a cyberattack against a Cloudflare customer last November that reached more than 30 terabits of data per second, nearly three times the size of the previous largest such attack.
No arrests were immediately announced nor the takedowns, but a press release from the Department of Justice stressed that the US government was working with Canadian and German authorities, “who were targeting the individuals who operated these botnets”.
“The United States is steadfast in our commitment to protecting critical internet infrastructure and fighting against cybercriminals who endanger their security, no matter where they live,” U.S. Attorney Michael J. Heyman wrote in a statement.
Among the four botnets dismantled during the operation, Aisuru is the one that gained the greatest notoriety, thanks to a series of record or near-record cyberattacks carried out last fall. The botnet, whose use has been praised as many startup services offer their brute-force disruption capabilities to anyone willing to pay, has visibly pitted itself against gaming services like Minecraft and independent cybersecurity journalist Brian Krebs. Krebs, who has extensively investigated the underground botnet and Aisuru in particular, suffered repeated attacks of the botnet last year.
Then, in November, Cloudflare absorbed a record combined attack from Aisuru and Kimwolf that lasted just 35 seconds but reached 31.4 terabits per second, a volume of attack traffic nearly triple that previously observed. (The company did not reveal which of its customers were affected by this attack.)
In a report Regarding the state of the DDoS ecosystem, Cloudflare described the peak attack traffic from the combined Aisuru and Kimwolf botnets as equivalent to “the combined populations of the United Kingdom, Germany, and Spain simultaneously typing in a website address and then pressing ‘Enter’ at the same second.” The botnet was capable, according to Cloudflare analysts, of “launching DDoS attacks that can paralyze critical infrastructure, crash most cloud-based DDoS protection solutions, and even disrupt the connectivity of entire nations.”
In fact, the four botnets disrupted by the American operation were variants of Miraian Internet of Things botnet that first appeared in 2016, broke records at the time for the scale of cyberattacks it enabled, and was ultimately used in an attack on domain name service provider Dyn that took down 175,000 websites simultaneously across much of the United States. Mirai’s codebase has since served as the starting point for a decade of other Internet of Things botnets.
The four botnets targeted by the United States in Thursday’s takedown had all developed new techniques allowing them to infect types of devices that even Mirai had never been able to access. Kimwolf, in particular, took advantage of cheap, Internet-connected gadgets that acted as “residential powers of attorney“which, often without their owners’ knowledge, allow hackers to break into users’ home networks to compromise devices that are typically protected behind a home router, says Chad Seaman, senior security researcher at networking company Akamai. “This really shook the foundation of what we thought of as a secure home network,” Seaman says.
Seaman notes that cybersecurity researchers and law enforcement engaged in a cat-and-mouse game for months with botnet operators. Sometimes, he says, operators have resorted to innovative tricks, like moving their domain name system to the Ethereum blockchain to prevent their command-and-control servers from being hijacked.
Regardless of the results of Thursday’s takedown, Seaman says he’s seen enough generations of DDoS operators — dating back to Mirai herself — to know that even if these four botnets have been permanently taken down, other hackers will undoubtedly rebuild new, massive collections of hacked machines to take their place.
“The game of cat and mouse continues. You catch one mouse and 10 others scurry under the refrigerator,” he says. “Cats will give priority to big mice. But it’s a long game.”
