4.3 Who were the attackers?
At the time of writing, it is still not known for sure who the attackers behind the Dyn attack are. As botnets are available for hire, people without good computer knowledge can also launch attacks, so this attack did not have to be a state-sponsored one. One of the powerful botnets on hire at that time was vDOS; this was investigated and reported in depth by the freelance security journalist Brian Krebs, which subsequently led to it being shut down by the police (Krebs, 2016). It was believed that the extremely high-traffic (620 Gbit/s) DDoS attack on Krebs’s blog (Krebs on Security) in September 2016 was an act of retaliation against Krebs.
As Krebs’ investigation continued, the author of the Mirai malware released the source code to a hackers’ forum using the nickname Anna Senpai. It was believed this was an act to distract police investigators rather than the malware authors being ‘generous’. Nevertheless, Krebs eventually identified the authors of the malware based on analysis of the data from DDoS mitigation services, studying the discussions in the hackers’ forums and interviewing people in January 2017. The real identities of Mirai’s authors are 21-year-old Paras Jha from New Jersey and 20-year-old Josiah White from Pennsylvania, USA. The pair were co-founders of Protraf Solutions LLC, which is ironically a company that specialises in mitigating large-scale DDoS attacks! The pair were subsequently charged and pleaded guilty to creating the Mirai malware (though there was no convincing evidence to prove that they carried out the Dyn attack).
Paras Jha was a computer science student at Rutgers University, New Jersey, at that time. He also admitted attacking the university a number of times between 2015 and 2016, causing the university to spend hundreds of thousands of US dollars to improve security. He was also suspected to be responsible for the attack on the French cloud company OVH in September 2016, aiming to disrupt the services of gaming servers hosted by OVH in order to gain advantage for the gaming server he supported.
Apart from using the botnet to attack servers, Jha, White and a third person called Dalton Norman also admitted to conducting a click fraud, which is a form of online advertising fraud that fools the advertiser into believing their hosting advertisement receives a much higher click rate than it actually does. As a result of the click fraud they received about 200 bitcoins, which were worth over $180 000 in January 2017 (Krebs, 2017).