Mirai botnet creators are now fighting crime on the side of the FBI

Three defendants who stood behind the Mirai botnet — an online tool that caused destruction across the Internet in the fall of 2016 with the help of the most powerful distributed denial of service attacks — will face trial in Alaska on Thursday and ask the judge to pass a new verdict: they hope that they will be forced to work for the FBI.

Josaya White, Paras Jah and Dalton Norman, each of whom was between 18 and 20 years old at the time of creating and launching Mirai, in December pleaded guilty to creating a malicious program. The botnet, taking possession of access to hundreds of thousands of devices from the “Internet of things” and uniting them in the digital army, began its existence as a tool for attacking the hosters of Minecraft, but later grew to an online tsunami from malicious traffic that cut down entire hosting providers. At the time of its appearance at the height of the accusations of “Russian hackers” of interfering in the American elections, many were afraid that an unknown new enemy was about to bring down the Internet.

The creators, realizing that their creation turned out to be much more powerful than they had supposed, panicked and laid out its source code - this is the standard tactic of hackers hoping that when the authorities get to them, they will not find any code that would not be available publicly , and they cannot be easily blamed for its creation. The publication of the code led to other attacks that fall, as a result of one of which most of the Internet became unavailable on the east coast of the United States one day in October.

According to court documents, the US government recommends that each of these three receive a five-year suspended sentence and 2500 hours of community service.
')
However, the nuance lies in exactly how the government wants them to work out their term: “Next, the US is asking the Court, in consultation with the Probation Committee, to define community service in the form of ongoing work with the FBI on combating cybercrime and ensuring cybersecurity”, stated in the memorandum of conviction.

In a separate eight-page document, the government describes how, in the 18 months since the first contact of the FBI with the trinity, its members have actively worked with the agency and the broader cybersecurity community, applying computer skills to non-crime related work. “Even before the charges were filed, the accused engaged in extensive and exceptional cooperation with the US government,” the prosecutors wrote, saying that their cooperation “was remarkable both in scale and in consequence.”

It turns out that the trinity has already contributed to more than ten different operations related to the rule of law and the security of the country and the whole world. In one case, they helped private researchers in search of a hacker group, the source of an “advanced and constant threat”; in another, they worked with the FBI before the previous Christmas to weaken the DoS attacks . The court documents also contain references to the fact that the trio worked undercover online and offline, went on business trips to “secretly document the actions of the subjects under investigation,” and once even worked with law enforcement officers in another country to “ensure that the suspect uses a computer at the time of the search. "

The government believes that the trinity in the amount has already accumulated more than 1000 hours, helping the agency, which is equivalent to six months work experience.

This year, the defendants worked with the FBI in Alaska to stop the new version of DoS, known as Memcache, which uses a legitimate Internet protocol designed to speed up the loading of websites, to overload sites by sending regular requests. This little-known protocol was vulnerable, in particular, because many servers lacked authorization, which made them unprotected against attacks.

The court documents described how Norman, Jah and White in March eagerly set to work when attacks began to spread on the Internet, working together with the FBI and the security industry to identify attack-prone servers. The FBI then contacted companies and manufacturers that could suffer from these attacks to help soften their blow. “Thanks to the quick work of the accused, the volume and frequency of Memcache DoS attacks were reduced within a few weeks, the attacks became functionally useless, and their volume was a small fraction of what was originally,” the accusers report says.

Interestingly, the trinity area of ​​work for the government was not limited to preventing DoS attacks. Prosecutors describe the bulk of the programming work done by the defendants, including the creation of a program to facilitate tracking of cryptocurrencies and associated private keys in various currencies. There were no details about the program in court documents, but according to the report, the program accepts various blockchain data from the cryptocurrency input, and translates them into graphical form, which helps investigators analyze suspicious online wallets. "This program and its capabilities, created with the help of the accused, can seriously reduce the time it takes for law enforcement officials to conduct transaction analysis, because the program automatically determines the path of the selected wallet," the report says.

According to sources close to the case, the Mirai investigation provided a unique opportunity to solicit defendants who demonstrated excellent computer skills, distracted them from violations of the law and attracted to the side of legitimate computer security activities.

The government points to the immaturity of the trinity in its sentencing recommendations, noting “the difference between their online image, where they were important, known and malicious hackers in the field of criminal DoS attacks, and their relatively dull real lives in which they were unknown to anyone , immature young people living with their parents. ” None of them had been accused of crimes before, and the government notes the attempts of all three "in positive professional and educational development, with varying success." As noted in the report, “it was the lack of progress in the described areas that led the defendants to the criminal actions discussed here.”

In a separate note, lawyer Josayi White, in the year Mirai started running home schooling and graduating from the Pennsylvania Cyber ​​Schools, explains: “He made a mistake, made the wrong decision, but then turned it into very useful actions for the government and a training system for himself ".

After capturing the creators of Mirai, the government hopes to redirect them to a more productive life, starting with 2500 hours of work with the FBI, security experts and engineers. As the prosecutors wrote: "All three will have good prospects for training and employment if they decide to use them instead of continuing to engage in crime." This should result in about a full year of work for the FBI for a full day, which is likely to be broken into a five-year suspended sentence.

Interestingly, court documents describe the current work of the defendants on other cases of DoS attacks, and it says that the FBI office in Alaska continues to “investigate many groups responsible for large-scale DoS attacks and seeks to continue working with the accused.”

A small FBI cyber squad in the city of Anchorage has appeared recently, and over the past few years has become the main force in the fight against botnets; Just last week, division head William Walton arrived in Washington to receive an award for his work on the Mirai case from the hands of the FBI director, one of the agency’s highest awards. The same week, Russian hacker creator Kelihos , Peter Levashov, pleaded guilty in a Connecticut court in another case, also working with the FBI unit from Anchorage and the cyber department from New Haven. Judging by the court documents, the defendants in the Mirai case also had a hand on this botnet, helping to develop the scripts that identified the victims of Kelihos after the sudden seizure of botnet control and the arrest of Levashov in Spain last April.

The investigation into the Mirai case, led by agents Elliot Peterson and Doug Klein, responded in an interesting way in another Peterson case. In 2014, the agent led the indictment of Evgeny Bogachev , one of the most wanted cybercriminals on the FBI list, who allegedly committed many financial crimes through the GameOver Zeus botnet. In this case, investigators determined that Bogachev - who lived in Anapa - is behind many versions of malicious software known as Zeus, a favorite means for hacker attacks in the digital underground. Something like Microsoft Office for online scam. The FBI has been hunting Bogachev for years in several cases, while he was developing new, improved versions of the software. In 2014, during investigative activities related to the GameOver Zeus, investigators decided that Bogachev was cooperating with Russian intelligence to turn the botnet’s capabilities to gather intelligence and to search secret information on infected computers in countries such as Turkey, Ukraine and Georgia.

The GameOver Zeus case was one of the earliest examples of current cases of how Russian criminals cooperate with Russian intelligence services. In a similar case, which became known last year, the US government described how well-known Russian hacker Alexey Belan worked with two representatives of the Russian special services on hacking Yahoo. The blurring of the line separating online criminals and Russian special services has become a key factor in turning a country into a state that does not recognize international norms, the most recent example of which was the launch of the extortionate virus NotPetya .

In Alaska, in the courtroom, the FBI will offer its version of how the government can deal with a similar problem. It is also happy to master the expert experience of hackers criminals caught within the country. But first, it forces them to stop criminal activity, and then wraps their computer skills to preserve the safety and health of the global Internet.