A Mirai botnet used by hackers to unleash a massive DDoS attack that crippled US Internet access two weeks ago has found its way to Liberia attacking the country's entire internet infrastructure over the past seven days, according to a UK-based IT security expert who says he has been closely monitoring the attacks.
Kevin Beaumont writes about Botnet 14 in a blog post:
"Over the past week we've seen continued short duration attacks on infrastructure in the nation of Liberia. Liberia has one internet cable, installed in 2011, which provides a single point of failure for internet access. From monitoring we can see websites hosted in country going offline during the attacks — additionally, a source in country at a Telco has confirmed to a journalist they are seeing intermittent internet connectivity, at times which directly match the attack. The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state."
The Africa Coast to Europe is the only submarine in Liberia. It is run by the Cable Consortium of Liberia with stakeholders including two telcos: MTN/LoneStarCell and Orange/Cellcom.
In what has been described the largest of its kind in history, the Mirai botnet disrupted much of America's internet on October 21 after infecting the servers of Dyn, a company which serves as a switchboard for much of the internet's domain name system (DNS) infrastructure, bringing down sites including Twitter, the Guardian, Netflix, Reddit, CNN and many others in Europe and the US. Over 100,000 devices were infected.
In a Mirai attack like Botnet 14, an open-source software is used to hijack Internet of Things (IoT) devices to produce an overwhelming flood of traffic toward targeted servers. The malware's ease of spread is attributed to its targeting mainly insecure IoT devices such as digital cameras and DVR players, a development which Dyn has stated highlight vulnerabilities in the security of IoT devices and has sparked further dialogue in the internet infrastructure community about the future of the internet.
"As of 1PM today UK time," Beaumont states in his November 3 post, "the botnet continues to intermittently attack Liberia telecom providers who co-own the submarine cable."
Responding to a story from an employee of an affected local telco, Beaumont tweeted that all the botnet attacks had stopped following the publishing of his post.
The attacks are live tweeted as @MiraiAttacks.