US takes down botnets used in record-breaking cyberattacks

collection Millions of compromised computers known as Aisuru and Kimwolf were used to launch some of the largest distributed denial of service (DDoS) attacks ever. Now US law enforcement agencies have wiped both from the Internet, along with two legions of other hijacked computers – known as botnets – in one massive takedown.

The US Department of Justice, working with the US Defense Department’s cybercrime agency known as the Defense Criminal Investigative Service, announced on Thursday that it had dismantled four massive botnets in a single operation, removing command and control servers used to control hacker-run armies of compromised machines known as JackSkid, Mossad, Aisuru and Kimwolf. Together, the four botnet operators amassed more than 3 million devices, often selling access to those devices to other criminal hackers, as well as using them to target victims with massive floods of attack attacks to take down websites and internet services, the Justice Department said.

Aisuru and Kimwolf, a distinct botnet but related to Aisuru, together comprised more than 1 million devices, according to DDoS defense firm Cloudflare, with Aisuru infecting a variety of devices from digital video recorders to network devices and webcams, and its Kimwolf branch also infecting Android devices including smart TVs and set-top boxes. Cloudflare says the two botnets, working together, carried out a cyberattack against a Cloudflare customer last November that accessed more than 30 terabytes of data per second, nearly three times the size of the previous largest such attack.

No arrests or takedowns were immediately announced, but the Justice Department statement noted that the US government was cooperating with Canadian and German authorities, “who targeted the individuals who operated these botnets.”

“The United States is steadfast in its commitment to protecting critical Internet infrastructure and fighting cybercriminals who jeopardize its security wherever they live,” U.S. Attorney Michael J. Heyman wrote in a statement.

Of the four botnets seized in the operation, Aisuru gained the most notoriety, thanks to a series of record-breaking or near-record cyberattacks it carried out last fall. Bots, whose use has been rented out like many “bootstrap” services that offer their brute force disruptive capabilities to anyone willing to pay, have been more vocal against gaming services like Minecraft and freelance cybersecurity journalist Brian Krebs. Krebs, who has extensively investigated the underground botnet and Isoro in particular, has been repeatedly attacked by the botnet in the past year.

Then in November, Cloudflare absorbed a record-breaking combined attack from Aisuru and Kimwolf that lasted just 35 seconds but reached 31.4 terabytes per second, an attack traffic volume close to three times the size of anything seen before. (The company did not reveal which of its customers were exposed to this attack.)

In a report on the state of the DDoS ecosystem, Cloudflare described the maximum attack traffic of the combined Aisuru and Kimwolf botnets as equivalent to “the combined populations of the UK, Germany and Spain all simultaneously typing in a website address and then pressing enter in the same second.” Cloudflare analysts wrote that the botnet was able to “launch DDoS attacks that can cripple critical infrastructure, disable most legacy cloud-based DDoS protection solutions, and even disrupt the connectivity of entire countries.”

In fact, all four of the botnets disrupted by the US operation were variants of Mirai, an Internet of Things botnet that debuted in 2016, broke records at the time in terms of the volume of cyberattacks it enabled, and was eventually used in an attack on domain name service provider Dyn that took down 175,000 websites simultaneously across much of the US. Since then, the Mirai codebase has served as a launching pad for a decade of other IoT botnets.