Are Mirai Hackers Testing or Flexing?
“The supreme art of war is to subdue the enemy without fighting.” —Sun Tzu
Last week, hackers targeted an infrastructure provider in Liberia with the botnet Mirai. Early reports suggested that the entire country had been knocked offline, but, in reality, the country suffered isolated outages, according to most reports. The country’s telecom authority downplayed the impact of the DDoS attack in an interview with BBC but acknowledged that a cell provider there had suffered intermittent online attacks that disrupted its service.
Even if the first reports of the attack exaggerated its impact, the possibility of hackers targeting a nation state remain.
“The question I am asking is: ‘Why Liberia?’ There is not much to gain financially by attacking that country,” asks Thomas Pore, director of IT and Services at Plixer.
It is certainly an interesting target. Ravaged by Ebola in 2014, Liberia is one of the poorest countries on the planet. Only a small fraction of its population uses the internet.
One theory is that latest attack was to test denial of service techniques. “The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state,” writes security researcher Kevin Beaumont in Medium. Beaumont was one of the first people to write about the so-called #14 Mirai botnet.
Some security researchers, theorize that the Liberia attack was a demonstration of power—a virtual flexing of muscles—that could be used to fuel future extortion attempts. Each attack gives hackers renewed ability to threaten: If you don’t pay me, I’ll knock your website or even your whole country offline. “The botnet owner is demonstrating that he wields an asset much more powerful than what currently exists,” said Chris Carlson, vice president of product management at Qualys. “This can force victims to pay extortion to avoid being [attacked] in the first place, or it can force attacked victims to pay extortion faster to restore service.”
But the attacks against Liberia were less sophisticated than the botnet that targeted DNS provider Dyn last month. “The attacks suggest that they are trying to go under the radar,” says Thomas Pore of Plixer. “There aren’t power Internet users in Liberia. But if you are weapons testing, you are going to choose a target that not too many people will notice. I think this latest attack was still testing.”
The clearest conclusion from the attacks is that there is little that can be done to stop them for now. “More than anything, this is an eye opener,” Pore says. “I don’t think this problem is going to go away. It may be more prevalent that it just becomes background noise. But I think we will see larger and larger attacks moving forward.”