Cybercrime , Cybercrime as-a-service , DDoS Protection

UK Sentences Man for Mirai DDoS Attacks Against Liberia

Daniel Kaye Was Paid to Disrupt Liberia's Largest Telecommunications Firm
UK Sentences Man for Mirai DDoS Attacks Against Liberia

In 2016, the small West African country of Liberia became a target for the Mirai botnet, leading to widespread disruptions and demonstrating just how devastating distributed denial-of-service attacks can be, especially when they get executed using tens of thousands of hijacked, internet-connected devices.

See Also: Live Webinar | Digital Doppelgängers: The Dual Faces of Deepfake Technology

But Liberia, which has a population of 4.2 million people and a GDP ten times less than the state of Delaware, was a puzzling target, far off the path of other Mirai targets, which included the DNS services company Dyn.

The DDoS attacks in Liberia were directed at Lonestar MTN, the largest telecommunication provider in the country. It was hit with DDoS strikes that registered as much as 500 gigabits per second (see: Liberia Latest Target for Mirai Botnet).

Daniel Kaye

The attacks cost Lonestar at least $600,000 to mitigate, plus tens of millions more because the disruptions caused customers to move to other providers, British authorities say.

On Friday, the perpetrator of the Lonestar attacks, 30-year-old Daniel Kaye of Egham, England, was sentenced in Blackfriars Crown Court to serve a sentence of two years and eight months, according to the U.K.'s National Crime Agency.

Kaye pleaded guilty in December 2018 to creating the botnet and possessing criminal property. U.K. authorities described him as a "highly skilled and capable hacker-for-hire."

Hired Gun

Kaye admitted to having a hand in the Liberia attacks, which he began in October 2015. He has said he was paid $100,000 by one of Lonestar's internet service provider competitors, although previously declined to name them.

According to the National Crime Agency, however, Kaye was paid by a senior official at Cellcom, who put him on a monthly retainer.

Orange Group acquired Cellcom in April 2016. Orange says in a statement to ISMG that it is aware of the action against Kaye but that it had no knowledge of the DDoS-for-hire arrangement.

"Orange had no knowledge of Cellcom's dealings with Mr Kaye, which were initiated prior to Orange's acquisition of the company," it says. "The Group is currently examining what possible legal actions could be taken to protect its interests."

Stressor/Booter Business Continues

DDoS attacks persist because there appears to be a ready base of customers who want to hire such attacks on demand. Service providers regularly advertise these "booter" or "stressor" services on underground forums (see: Feds Disrupt Top Stresser/Booter Services).

DDoS attacks can't be stopped, per se, except by taking individual service providers offline or arresting attackers. The only avenue to mitigate attacks in progress, however, remains to use methods such as filtering to try to divert bad traffic. Defending against DDoS isn't cheap, which has made such attacks an appealing way to financially hurt organizations.

Kaye, who went by the nicknames "BestBuy" and "Spiderman," had a hand in many other attacks using Mirai, including against Deutsche Telekom, Lloyds Banking Group and Barclays.

British authorities arrested Kaye when he entered the country in February 2017 after he'd been living and conducting attacks from Peyia, Cyprus. Authorities found $10,000 in $100 bills in his suitcase. He was then extradited to Germany (see: Mirai Malware Hacker Pleads Guilty in German Court).

Kaye pleaded guilty in Germany to offering DDoS services using Mirai. The attacks knocked offline about 1 million Deutsche Telekom customers (see: Mirai Botnet Knocks Out Deutsche Telekom Routers).

Internet of Things Worries

Mirai is designed to target internet-of-things devices, such as routers and digital video recorders used for CCTV cameras, that are directly connected to the internet. It was designed with a list of 64 hardcoded and default passwords, which it uses to try to gain access to devices. Once a device gets infected with Mirai, it typically seeks out other vulnerable devices to try to take them over as well (see: Botnets Keep Brute-Forcing Internet of Things Devices).

While experts had warned that internet-of-things devices with poor security configurations could be a disaster in the making, Mirai was the first example of those fears materializing.

Since Mirai debuted, many IoT device manufacturers have pledged to improve their security practices, including not shipping devices with default credentials. But many devices with risky configurations are still shipping, and there are millions of older devices with poor or missing security controls that may remain online for years to come.

Kaye didn't create Mirai. The code for Mirai was publicly released in September 2016, which caused scores of copycat attacks from attackers who embraced and adapted the same code.

For example, the version of Mirai that infected Deutsche Telekom was dubbed Mirai #14. That version used a botnet composed of Dahua security cameras, according to the National Crime Agency.

In September 2018, a federal court judge in Alaska sentenced the three developers of Mirai: Josiah White of Washington, Pennsylvania; Dalton Norman, of Metairie, Louisiana; and Paras Jha, of Fanwood, New Jersey. All received five years probation, 2,500 hours of community service and were ordered to pay $127,000 in restitution (see:Mirai Co-Author Gets House Arrest, $8.6 Million Fine).

One of Mirai's most prominent victims was Dyn, which at the time supplied DNS services to Twitter, Spotify, Paypal and many other popular websites (see DDoS Attack Blamed for Massive Outages).

An attack in October 2016 disrupted Dyn's ability to answer DNS requests, which resolve a domain name into an IP address that can be called into a browser. It meant that those major services, while still online, simply couldn't be found by many internet users, especially across Europe and North America.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.