I have to admit that when I heard about the historic (and it was historic) distributive denial of service (DDoS) cyber attack on the DNS provider, Dyn, which brought down Twitter, Amazon, and other major sites, I concluded that some nation state was behind it. It seemed too well thought out to be the work of amateurs. So my first suspicions went to Russia, China, or the US. All of them would have reasons for launching such a major attack.
First under suspicion would be Russia. This is because President Obama had recently threatened to launch a retaliatory attack against them for interfering in the US election. It could be that Russia launched such a DDoS attack as a warning to show what could happen if Obama actually decided to take this action. Cyberwar and nuclear war have one important element in common: Both are constrained by a counterattack using the same weapons. For this reason, most cyber security experts think that an all out cyberwar is highly unlikely because it would involve a sort of cyber suicide.
China’s reasons for launching such an attack are a bit more obscure. However, there is little doubt that much of their cyber attack activity revolves around financial gain, such as stealing corporate secrets. Certainly, bringing down Twitter, Amazon and other sites had a financial impact and such an impact could have benefited Chinese competitors. Perhaps, there could even be more political motives behind such an attack; a shot across the bow, so to speak. But, in truth, China seems an unlikely operant in this attack.
So, why would the US want to bring down the internet? The reason for that may be a matter of coincidence. It just so happened that just before the attack, Julian Assange, of Wikileaks, announced on Twitter that he was shortly going to release some important news. Since the US had just pressured Ecuador to shut down Assange’s internet access, it was apparent that stopping any leaks was important to them. But would they shut down all of Twitter plus other sites to stop these leaks? It seems like overkill, but it is not without a possibility. Still, the most likely culprit seemed to be Russia.
But then the focus seemed to change to hacking gangs as the number of IoT devices infected by the Mirai botnet virus and used in the attack fell from the initially estimated tens of millions to around 100,000; a number which would be consistent with what could be controlled by a hacking group or several coordinated groups. Since the code for the Mirai virus was released online three months ago, it could easily have gotten into the hands of such groups. Security firm, Flashpoint, reported that they have a “moderate degree of confidence that the perpetrators behind this attack are most likely not politically motivated, and most likely not nation-state actors.” That seems to indicate that an organized hacking group or groups with experience in DDoS attacks were behind the takedown. However, Flashpoint, rather strangely in my view, conclude that the attack was the result of kids (known as ‘script kiddies’) just fooling around.
Soon after the attack, a hacking group specializing in DDoS attacks, New World Hackers, claimed responsibility for the one on Dyn. Interestingly, in an interview they held that same day, they maintained that they controlled 100,000 IoT devices. At the time, that number seemed too small to do the damage that was done and the claim was dismissed as nothing more than bragging. The New World Hackers retired two days later with a message, part of which is shown below.
If other hacking groups were involved in the attack, it would have had to be groups that already had large numbers of botnets and who had some agenda. These would include such well known groups as Anonymous and less well known, but successful, goups like Ghost Squad. All of whom have been sympathetic to Assange. Assange is well aware of them. This was why, early on in the attack, he asked his supporters (hacker supporters) to stop the attack.
But it is highly likely that this last DDoS attack will not be the last. Anonymous and other groups have been conducting something called Operation Icarus (OpIcarus) for some time now. Phase 4 of this operation is called Black October. In an interview given four days before the Dyn DDoS attack, a spokesman announced that October would be “the darkest month the New World Order has ever faced.” Their targets will be major banks and people they feel are somehow controlling the world, such as George Soros, the Clintons, and the Bush family. “Phase 4 is an all out cyber attack on all banks, market regulators and indeed elitists who have been trying hard to push us closer to world war 3.”
Well, October is almost finished, but if these hacking teams really wanted to create a black October scenario, what better day to make this happen than on Halloween? Of course, this may all be just talk. The other phases of Operation Icarus took place with limited success. Could they do it? Sure. I’m certain they have enough botnets to pull off an attack on some of the more poorly protected banks, especially those that don’t have a backup DNS server or those that don’t have the appropriate architecture to fend off a large DDoS attack. But even if they don’t, the fact remains that banks are the next big target. So banks should not be complacent if they survive October without either a DDoS attack or an attack that takes over their websites. They should also see if their bank is named in the list of targeted banks. Then, they should begin preparing for the worst case scenario. In the cybersecurity world, it’s impossible to be too safe.