Mirai botnet perpetrators plead guilty

Three individuals pleaded guilty Dec. 8 for their role in the 2016 Mirai botnet attack that choked off access to large portions of the internet.

Paras Jha, 21, Josiah White, 20, and Dalton Norman, 21, all pleaded guilty to violating of the Computer Fraud and Abuse Act in the District Court of Alaska. The plea agreement for Jha indicates that federal prosecutors agreed not to bring additional charges in exchange for the defendants pleading guilty.

According to those same documents, the three individuals began working together in August 2016, scanning the internet for unprotected internet of things devices. Using both known and previously unknown vulnerabilities, the trio took over more than 300,000 IoT devices in order to conduct distributed denial of service attacks against entities for the purposes of revenge and extortion of ransom payments.

The three also admitted to renting out their botnet to other unnamed criminal groups for their own similar attacks. A release from the Department of Justice announcing the decision mentions that two of the individuals, Jha and Norman, pleaded guilty on Dec. 8 to separate charges related to botnet DDOS attacks between December 2016 and February 2017. Jha also pleaded guilty to a series of cyber attacks directed at Rutgers University between 2014 and 2016. Jha faces up to five years in prison and a $250,000 fine.

"The Mirai and Clickfraud botnet schemes are powerful reminders that as we continue on a path of a more interconnected world, we must guard against the threats posed by cybercriminals that can quickly weaponize technological developments," said John P. Cronan, acting assistant attorney general for the Department of Justice’s criminal division, in a statement announcing the plea deals.

The Mirai botnet attack sent shockwaves through the cybersecurity community, demonstrating just how vulnerable the companies that provide the internet’s backbone are to straightforward DDOS attacks. It also heightened existing concerns around the security of IoT devices, which number in the billions and are subject to little to no regulation.

In October 2017, two Democratic congressman introduced legislation that would establish a voluntary framework for companies to identify and label IoT device security. And in August 2017, Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) introduced a bill that would ban unpatchable products and limit the type of devices that government agencies could purchase.