On Thursday, the U.S. Justice Department, working with the cybercrime-fighting agency within the U.S. Department of Defense known as the Defense Criminal Investigative Service, announced it had destroyed four major botnets in a single operation, taking out command-and-control servers used to command hacker-driven armies of compromised devices known as Jackskid, Mossad, Aisuru, and Kimwolf. The operators of the four botnets combined had collected more than 3 million devices, the Justice Department said, and often sold access to those devices to other criminal hackers as well as used them to target victims with massive floods of attack traffic to knock websites and Internet services offline.
According to DDoS defense firm Cloudflare, Aisuru and Kimwolf, a separate but related botnet to Aisuru, together contained more than a million devices, with Aisuru infecting a variety of devices ranging from DVRs to network devices to webcams, and its Kimwolf branch infecting Android devices including smart TVs and set-top boxes. Cloudflare says two botnets working together launched a cyberattack against a Cloudflare customer last November that reached more than 30 terabits of data per second, nearly three times the size of the previous largest attack.
No arrests were immediately announced with the takedown, but a Justice Department statement said the U.S. government was cooperating with Canadian and German authorities “to target the individuals operating these botnets.”
American lawyer Michael J. “The United States remains steadfast in our commitment to protecting critical Internet infrastructure and fighting cybercriminals who threaten its security, no matter where they reside,” Heyman wrote in a statement.
Of the four botnets taken down in the operation, Aisuru had gained the most notoriety thanks to a series of record-breaking or near-record cyberattacks it carried out in the past. Botnets, which were used like many such “booter” services for hire, offering their brute-force disruptive capabilities to anyone willing to pay, have been most blatantly against gaming services. minecraft and freelance cybersecurity journalist Brian Krebs. Krebs, who has extensively investigated underground botnets and Aisuru in particular, was the victim of repeated attacks from the botnet last year.
Then in November, Cloudflare absorbed a record-breaking joint attack from Aisuru and Kimwolf that lasted only 35 seconds but reached 31.4 terabits per second, the amount of traffic from the attack was close to three times the size of any previously seen. (The company has not said which of its customers were affected by that attack.)
In a report on the state of the DDoS ecosystem, Cloudflare described the maximum attack traffic of the combined Aisuru and Kimwolf botnets as “equivalent to the combined populations of the UK, Germany, and Spain simultaneously typing a website address and then pressing ‘Enter’ in the same second.” The botnet was “capable of launching DDoS attacks that can paralyze critical infrastructure, crash most legacy cloud-based DDoS protection solutions, and even disrupt the connectivity of entire countries,” Cloudflare analysts wrote.
In fact, all four botnets disrupted by the US operation were variants of Mirai, an Internet-of-Things botnet that first emerged in 2016, broke records at the time for the size of cyberattacks it was capable of, and was ultimately used in an attack on the domain-name service provider Dyn that took down 175,000 websites simultaneously across much of the United States. Mirai’s code base has since served as the starting point for other Internet-of-Things botnets for a decade.
<a href