The Hunt for IoT: The Rise of Thingbots

With “thingbots” now launching Death Star-sized DDoS attacks, hosting banking trojans, and causing physical destruction, all signs point to them becoming the attacker infrastructure of the future.
August 09, 2017
28 min. read

Executive Summary

The Internet of Things (IoT) and, specifically, the hunt for exploitable IoT devices by attackers, has been a primary area of research for F5 Labs for over a year now—and with good reason. IoT devices are becoming the “cyberweapon delivery system of choice” by today’s botnet-building attackers. And, why not? There are literally billions of them in the world, most of which are readily accessible (via Telnet) and easily hacked (due to lack of security controls). Why would attackers rent expensive resources in hosting environments to build their botnets when so many devices are “free” for the taking?

Across all of our research, every indication is that today’s botnets, or “thingbots” (built exclusively from IoT devices) will become the infrastructure for a future darknet.*

In our third semi-annual report on this topic, we continue to track Telnet attack activity and, through a series of global maps showing infected systems, we track the progression of Mirai, as well as a new thingbot called Persirai. We also include a list of the administrative credentials attackers most frequently use when launching brute force attacks against IoT devices.


Mirai systems in Europe — June 2017

Mirai systems in Europe — June 2017


Here are the key findings based on analysis of data collected between January 1 through June 30, 2017:

  • Telnet attack activity grew 280% from the previous period, which included massive growth due to the Mirai malware and subsequent attacks.
  • The level of attacking activity at the time of publishing doesn’t equate to the current size of Mirai or Persirai, indicating there are other thingbots being built that we don’t yet know about. Since there haven’t been any massive attacks post Mirai, it’s likely these thingbots are just ready and waiting to unleash their next round of attacks.


Level of attacking activity is exponentially larger than what it took to build Mirai

Level of attacking activity is exponentially larger than what it took to build Mirai


  • 93% of this period’s attacks occurred in January and February while activity significantly declined in March through June. This could mean that the attacker “recon” phase has ended and that the “build only” phase has begun. Or, it could just be that attackers were momentarily distracted (enticed) by the Shadow Brokers’ release of EternalBlue.*
  • The top attacking country in this reporting period was Spain, launching 83% of all attacks, while activity from China, the top attacking country from the prior two periods, dropped off significantly, contributing less than 1% to the total attack volume. (Has China cleaned up compromised IoT systems?)
  • The top 10 attacking IP addresses all came from one hosting provider network in Spain: SoloGigabit.
    • SoloGigabit was the source of all attacks coming from Spain in this period. Given that SoloGigabit is a hosting provider with a “bullet proof” reputation, we assume this was direct threat actor traffic rather than compromised IoT devices being forced by their thingbot master to attack.
  • The top 50 attacking IP addresses resolve to ISP/telecom companies, and hosting providers. While there were more ISPs and telecom IP addresses on the top 50 list, when looking at volume of attacks by industry, the overwhelming number came from hosting providers.
  • Although IoT devices are known for launching DDoS attacks, they’re also being used in vigilante thingbots to take out vulnerable IoT infrastructure before they are used in attacks*and to host banking trojan infrastructure.* IoT devices have also been subject to hacktivism attacks,* and are the target of nation-state cyber warfare attacks.*
  • As we see in this report with Persirai, attackers are now building thingbots based on specific disclosed vulnerabilities* rather than having to launch a large recon scan followed by brute forcing credentials.



From a manufacturing and security perspective, the state of IoT devices hasn’t changed, nor did we expect it to. In the short term, IoT devices will continue to be one of the most highly exploitable tools in attackers’ cyber arsenals. We will continue to see massive thingbots being built until IoT manufacturers are forced to secure these devices, recall products, or bow to pressure from buyers who simply refuse to purchase vulnerable devices.

In the meantime, responsible organizations can do their best to protect themselves by having a DDoS strategy in place, ensuring redundancy for critical services, implementing credential stuffing solutions, and continually educating employees about the potential dangers of IoT devices and how to use them safely.

To see the full version of this report, click “Download” below.


Join the Discussion
Authors & Contributors
Sara Boddy (Author)
Justin Shattuck (Author)

*For citations, please see the full PDF version of this report.

What's trending?

Forward and Reverse Shells
Forward and Reverse Shells
09/15/2023 article 5 min. read
Web Shells: Understanding Attackers’ Tools and Techniques
Web Shells: Understanding Attackers’ Tools and Techniques
07/06/2023 article 6 min. read
What Is Zero Trust Architecture (ZTA)?
What Is Zero Trust Architecture (ZTA)?
07/05/2022 article 13 min. read