After one botnet wreaked havoc in the US two weeks ago, another cut off internet access for an entire country.
Over the week of Oct. 31, a botnet called Botnet 14 pushed the country of Liberia offline by repeatedly attacking IP addresses owned by the two companies that co-own Liberia’s only fiber cable. The attacks were reported by a Twitter account called @MiraiAttacks, which tweets alerts of attacks along with the domains of targeted sites, as they happen.
UK-based security researcher Kevin Beaumont noticed unusually high activity from @MiraiAttacks, and was among the first to identify Liberia as the target.
“The attacks were in short bursts, a few minutes at a time, over the space of a week,” Beaumont told Quartz.
Telecom and internet services firm Level 3 confirmed to to ZDNet that it had “witnessed an attack against a telecommunications company in Liberia.” At least one person in Liberia also confirmed disruptions in service. The attacks appeared to have stopped by Nov. 2.
Why target Liberia? Hardly a power user of the internet, Liberia first got basic internet in 2011 through the offshore ACE cable, which provides a meager 5.1 terabytes per second for the whole country. As recently as July 2015, less than 6% of Liberia’s 4.3 million-strong population had internet access as of July 2015.
Maybe the hacker behind the attacks was just flexing her muscles, says Beaumont. “I believe the attacks were a test,” he said. “They were very short, but effective during that time.”
In a Mirai attack, hackers use open-source Mirai software to hijack internet-connected devices. The resulting ”botnet” can then be used to produce an overwhelming flood of traffic toward targeted servers. The more devices involved, the more crippling the attack. On Oct. 22, hackers used a similar network of internet-connected devices like baby monitors, DVRs, and printers, and other appliances to take down a series of US-based websites.
The October attack was a 1.1 terabyte-per-second attack, the biggest ever. ZDNet reports that the attack on Liberia also ranks high, at 500 gigabits per second.
After Beaumont flagged the Liberia attack, he noticed that attack logs being tweeted by @MiraiAttack appeared to name him. MalwareTech, the company that established @MiraiAttacks, was also mentioned in a separate tweet. He realized that the hackers behind the botnet were using the Twitter bot to communicate with everyone monitoring them.
“When I started to see messages in the attack commands clearly written towards those monitoring, it felt really strange,” Beaumont told Quartz. “Like, not what I was expecting. When they mentioned what I presume to be me, it was clear they were reading my tweets, and that was.. interesting. I believe they are trying to silence research.”