Three youth including an Indian American pleaded guilty to attacking thousands of computers and IoT devices using a malware written by one of them.
Indian American Paras Jha, 21, of Fanwood, New Jersey; Josiah White, 20, of Washington, Pennsylvania; and Dalton Norman, 21, of Metairie, Louisiana, pleaded guilty to criminal informations in the District of Alaska charging them each with conspiracy to violate the Computer Fraud & Abuse Act in operating the Mirai Botnet, Justice Department announced Wednesday.
According to the department, White, Jha, and Norman created a powerful botnet – a collection of computers infected with malicious software and controlled as a group without the knowledge or permission of the computers’ owners in the summer and fall of 2016.
The Mirai Botnet targeted IoT devices – non-traditional computing devices that were connected to the Internet, including wireless cameras, routers, and digital video recorders.
The defendants attempted to discover both known and previously undisclosed vulnerabilities that allowed them to surreptitiously attain control over the victim devices for the purpose of forcing the devices to participate in the Mirai Botnet.
They used the botnet to conduct a number of powerful distributed denial-of-service, or “DDOS” attacks, which occur when multiple computers, acting in unison, flood the Internet connection of a targeted computer or computers.
The defendants’ involvement with the original Mirai variant ended in the fall of 2016 when Jha posted the source code for Mirai on a criminal forum. Since then, other criminal actors have used Mirai variants in a variety of other attacks.
On Dec. 8, Paras Jha and Dalton Norman also pleaded guilty to the criminal information in the District of Alaska charging each with conspiracy to violate the Computer Fraud & Abuse Act.
From December 2016 to February 2017, they successfully infected over 100,000 primarily US-based computing devices. That malware caused the hijacked home Internet routers and other devices to form a powerful botnet.
The victim devices were used primarily in advertising fraud, including “click fraud,” a type of Internet-based scheme that makes it appear that a real user has “clicked” on an advertisement for the purpose of artificially generating revenue.
On Dec. 13, Paras Jha pleaded guilty in the District of New Jersey to violating the Computer Fraud & Abuse Act. Between November 2014 and September 2016, Jha executed a series of attacks on the networks of Rutgers University.
Jha’s attacks effectively shut down Rutgers University’s central authentication server, which maintained, among other things, the gateway portal through which staff, faculty, and students delivered assignments and assessments.
“The Mirai and Clickfraud botnet schemes are powerful reminders that as we continue on a path of a more interconnected world, we must guard against the threats posed by cybercriminals that can quickly weaponize technological developments to cause vast and varied types of harm,” said Acting Assistant Attorney General John P. Cronan.
“The Criminal Division will remain constantly vigilant in combating these sophisticated schemes, prosecuting cybercriminals, and protecting the American people,” Cronan added.