We now know the motive behind the devastating botnet that broke the internet in 2016, and it’s a far cry from any nation-state plot experts feared at the time.
Created by three college-age men, the crippling botnet was devised to gain an advantage in the popular platforming game Minecraft, according to a Wired report. Dubbed Mirai, the malware is best known for spreading a distributed denial-of-service (DDoS) to online performance management company Dyn, knocking some of the internet’s most popular websites offline. Twitter, Netflix, Spotify, Reddit, and many other online destinations couldn’t be accessed by millions of users, specifically those on the East Coast.
The three hackers who created the botnet—Paras Jha, Josiah White, and Dalton Norman—pleaded guilty on Friday, admitting it was first conceived to slow rival Minecraft servers. The Microsoft-owned video game, which has a userbase of more than 55 million, requires that gamers sign up to a server to play. There, they can pay real money to hosts to rent “space” and buy tools. Running a popular server could have huge financial benefits. An FBI investigator estimated hosts gain more than $100,000 for owning a crowded server.
If the three hackers could prevent users from using competing servers, they could get gamers to flock to their own and increase profits. To do this, they targeted a company that offers DDoS-mitigation tools for Minecraft servers. The attack sent servers crashing down. It didn’t take long before the three realized what their creation was capable of and how it could be used far beyond gaming.
“Mirai was originally developed to help them corner the Minecraft market, but then they realized what a powerful tool they built,” one FBI investigator told Wired. “Then it just became a challenge for them to make it as large as possible.”
In September 2016, in an attempt to confuse investigators, the Mirai creators posted the malware’s source code to Hack Forum along with key information about 46 internet of things (IoT) devices. That opened to gates to other hackers who used Mirai to spread 15,194 DDoS attacks between September 2016 and February 2017, according to the report. One of those was the attack on Dyn, which was conducted by exploiting weak security in IoT devices like webcams, sensors, and modems. That attack is still being investigated.
Another attack used Mirai to take out the internet in almost all of Liberia. While its creators have finally been revealed, the botnet is still being used today to conduct DDoS attacks.
“This particular saga is over, but Mirai still lives,” Justin Paine, the director of trust and safety at DDoS mitigation company Cloudflare, told Wired. “There’s a significant ongoing risk that’s continued, as the open source code has been repurposed by new actors. All these new updated versions are still out there.”