Mirai IoT Botnet Creators Plead Guilty for Roles in Cyber-Attacks

Three individuals plead guilty for their roles in Mirai cyber-attacks, as court documents provide new insight into how the IoT botnet operated.


Three of the individuals who were behind the Mirai internet of things botnet attack have pleaded guilty for their roles in the attacks that crippled parts of the internet in late 2016.  

On Dec. 5, Paras Jha, Josiah White and Dalton Norman pleaded guilty for their roles in the Mirai IoT botnet cyber-attacks, according to Department of Justice documents unsealed on Dec. 12. Mirai comprised 300,000 IoT devices infected with malicious code that enabled the botnet to launch distributed denial-of-service (DDoS) attacks.

"In or about July 2016, defendant Paras Jha wrote and implemented computer code with his co-conspirators that enabled them to control and direct devices infected with the Mirai malware," the plea agreement with Jha states.

The Mirai botnet became publicly known in September 2016, when it was used to attack security blogger Brian Krebs and internet service provider OVH. The attack against Kreb's site came in at 665G bps of attack traffic while the OVH attack had 799G bps. Mirai was also behind a massive DDoS attack against DynDNS in October 2016 that caused outages across the internet.

The plea agreement with Jha provides insight into the operations of Mirai. The court document notes that one feature of Mirai was the ability to conduct attacks against entire ranges of IP addresses. As such, a victim's entire network would be affected by an attack. 

"This feature, in conjunction with the very large size of the Mirai botnet, rendered useless many methods that are used to mitigate DDOS attacks," the plea agreement states. "Meaning that the attacks were capable of causing more network disruption than would be experienced in attacks by other DDOS services."

How Mirai Infected Devices

The plea agreement also provides insight into how IoT devices were infected with Mirai in the first place. Jha and his co-conspirators were able to discover both known and unknown vulnerabilities that allowed them to gain administrator access to victims’ devices. With that access, the attackers were able to force the vulnerable devices to participate in the Mirai botnet. 

"Utilizing undisclosed vulnerabilities meant that Jha and co-conspirators would not have to compete with other criminal actors seeking to develop illicit botnets for access to these devices," the court documents state.

The plea agreement also reveals that in August 2016, Mirai was used to attack an un-named U.S. company. According to the court documents, Jha contacted the company and demanded payment in exchange for halting the attack.

While Mirai infected IoT devices around the world, Jha set up the technical infrastructure for it on a virtual machine that he ran on his own computer at his home in New Jersey. 

The court documents also revealed the competitive nature of the botnet space. Jha engaged in a feud with rival botnet operators in August 2016, sending fraudulent abuse complaints to hosting providers associated with the rival group, according to the documents. 

The unsealed court documents do not detail how law enforcement found Jha, but they do note that he tried to evade detection. Not only did Jha erase the virtual machine he was using to control Mirai, but he also posted the Mirai source code online to further evade law enforcement actions.

"In or about September and October 2017, defendant Paras Jha took steps to destroy or conceal evidence from law enforcement," the plea agreement stated. "JHA posted the Mirai code online, in order to create plausible deniability if law enforcement found the code on computers controlled by JHA or his co-conspirators."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.