Through the end of 2016, and throughout 2017, multiple Mirai-based botnets targeted multiple Akamai customers. The very first Mirai attack against Akamai was a multi-day barrage, weighing in at a peak of 620/Gbps that sent shockwaves across the Internet. The same botnet would go on to conduct several hard hitting attacks across the Internet and cause widespread outages.
On December 13, 2017, the Department of Justice (DOJ) announced that multiple actors pled guilty to attacks linked to the original Mirai botnet. In this announcement they also listed Akamai and other organizations as a source of "additional assistance".
"Additional assistance was provided by the FBI's New Orleans and Pittsburgh Field Offices, the U.S. Attorney's Office for the Eastern District of Louisiana, the United Kingdom's National Crime Agency, the French General Directorate for Internal Security, the National Cyber-Forensics & Training Alliance, Palo Alto Networks Unit 42, Google, Cloudflare, Coinbase, Flashpoint, Yahoo and Akamai."
Researchers at Akamai have been involved in the dissection and tracking of the Mirai botnet from the very beginning and have been actively working to keep up with the evolution of Mirai and its many variants since. We want to use this opportunity to explain the role Akamai played in the research leading up to FBI's investigations.
In the hours following the initial attacks, researchers from Akamai SIRT, Flashpoint, CloudFlare, Google, Yahoo, Palo Alto Networks, and more, began to take notice and work toward understanding the who, what, why, and how that made attacks of this magnitude possible. Individuals at these organizations formed an informal working group in order to share the knowledge they were gleaning on the nature of the new threat.
Malware samples believed to be associated with a new, and mostly unknown, botnet were seen across several honeypots in the wild. This quickly-growing botnet was not only observed infecting honeypots, but was also identified based on its continually growing footprint of scanning and brute-forcing activities.
Researchers at Akamai began analyzing the malware to reverse engineer its network protocols and capabilities. The discoveries we made related to communication strategies, command and control protocol structures, attack capabilities, attack traffic signatures, as well as other valuable data was collected, documented, and ultimately shared to aid in collaboration across the working group of researchers and their respective organizations.
These findings and information proved valuable in helping other organizations defend against the Mirai botnet as well as assisting the FBI to understand, correlate, and attribute attacks back to specific botnets and suspected DDoS-for-hire operations.
We at Akamai appreciate the FBI and DOJ for acknowledging our hard work on the Mirai botnet research and their continued efforts to help victims and organizations to combat cybercrime.
Together we can all do our part to help make and keep the Internet "Fast, Reliable, and Secure".
High fives to everyone involved!