In Harry Potter and the Chamber of Secrets, Mr. Weasley gives the advice, “Never trust anything that can think for itself if you can’t see where it keeps its brain."1 That is ever so true when it comes to Internet of Things (IoT) computers, a topic into which we will delve deeply in this second article of volume 6 of the Hunt for IoT research series. In this article, we focus on IoT botnets themselves—how these “thingbots” are made, who makes them, and the thingbots that have been discovered since Volume 5 of our Hunt for IoT Report in October 2018.
The answer to this question is both simple and disturbing: children, sophisticated nation-states, and every type of threat actor in between.
Building IoT botnets is a popular activity both in the young script kiddie world and within nation-state cyber groups. The conversation about young people hacking isn’t new. The United Nations Interregional Crime and Justice Research1 said in 2012 that 61% of hackers begin hacking before the age of 16. Per NCCU, in 2017, the average age of a cyber-crime suspect was 17 years old—in comparison to 37 for drugs, and 39 for fraud.2 Early interest in hacking isn’t novel, but what has changed is the rise in IoT devices deployed in a way that makes them easy to compromise, thereby presenting a unique new opportunity for teens and young adults. This opportunity is marketed to them through online games and shady game modding forums—it is not a coincidence that most thingbots are named after anime and gaming characters.
The authors of the most infamous thingbot, the Mirai botnet, were college students,3 first exposed to DDoS attacks through Minecraft,4 and their motive was not monetary. The DDoS attacks they launched against their University, Rutgers, were launched to delay upperclassmen from registering for a computer science class they wanted to take, and later to delay a calculus exam.5 Eventually, hacker celebrity played a part, which we can only assume motivated at least some of the copycat Mirai thingbots that have followed. With so many Mirai variants showing only minimal modification of the leaked code, we can only assume a lot of the threat actors building Mirai clones are likely young script kiddies. Sophisticated threat actors would write their own code, or at least modify existing code so it wouldn’t behave like a bot that has been fingerprinted by every security provider on the planet (as Mirai has).
Below is a tweet from a hacker who pwned a bunch of smart TVs stating he needed to go on hiatus until finals were over.