DDoS Botnet Operator arrested in Ukraine with 100,000 Compromised Devices

Law enforcement authorities in Ukraine arrested a threat actor believed to be behind the creation and operation of a “powerful botnet.” The authorities stated that the hacker had developed the botnet using more than 100,000 compromised devices to conduct a distributed denial-of-service (DDoS) attack. The device was also used to conduct spam attacks.

The authorities stated that the individual in question comes from the Ivano-Frankivsk region in Ukraine. The said threat actor used to conduct these attacks on behalf of paid customers; hence he was like a link between the companies and the threat actors.

The mode of operation of this threat actor included leveraging the automated network to identify any weaknesses in websites. Once a vulnerability has been detected, the threat actor later broke into these websites and launched a brute-force attack to guess the email passwords of different accounts.

According to Ukrainian police, the operation to arrest this suspect took place in the suspect’s residence. The raid on the residence led to discovering evidence such as computer equipment that would be used to prove that he was using these gadgets to conduct cyber-crime activities .

A press statement by the Security Service of Ukraine further stated that this hacker used to look for “customers on the closed forums and Telegram chats and payments were made via blocked electronic payment systems.”

The authorities also stated that the suspect used Webmoney for payments and instant payments platform that has already been banned in Ukraine and is subject to the sanctions imposed by the National Security and Defense council. However, what is interesting is that this suspect used his real address to create the Webmoney account, which allowed the law enforcement authorities to find and raid his residence.

This arrest comes as the number of DDoS attacks across different countries has been on the rise. Weeks before the suspect’s arrest, Rostelecom-Solar, a cybersecurity firm based in Russia and a subsidiary of the Rostelecom telecom firm, stated that it had detected and prevented a DDoS attack .

In a statement issued in late September, Rostelecom-Solar stated that it had sinkholed a significant part of the Meris DDoS botnet. This botnet is believed to have compromised around 250,000 hosts into its mesh.

The company stated that it had evaluated the infected devices by intercepting and analyzing the commands used by the threat actors to gain control of the devices. The result of this analysis stated that the firm was able to detect 45,000 network devices. Moreover, the geographical location was also detected, after which the cybersecurity firm isolated them from the botnet.

The investigation further revealed that more than 20% of the compromised devices were based in Brazil. Ukraine, Indonesia, Poland and India also reported a significant portion of their devices being compromised by the DDoS attack.

The report by Rostelecom further stated that the Meris botnet was mainly made up of the Mikrotik hardware that is a common feature found in-home users who are on the internet. Specific versions of this malware contain weaknesses that threat actors can exploit to gain access to the devices. Once the hackers have control over the devices, they combine them in a single network controlled from a single location or multiple locations.

The US has also been a victim of DDoS attacks. In September, Bandwidth.com, a Voice over Internet Protocol (VoIP) services firm, stated that it had suffered an outage after several reports that it had suffered a DDoS attack.

The CEO of Bandwidth, David Morken, issues a statement on this outage stating that it was due to several critical communication service providers being targeted by a series of DDoS attacks.

In a statement issued by Morken regarding the attack, he stated that “While we have mitigated much-intended harm, we know some of you have been significantly impacted by this event. For that, I am truly sorry. You trust us with your mission-critical communications. There is nothing this team takes more seriously.”

Weeks before the Bandwidth DDoS attack was made public, VoIP.ms, a VoIP provider based in Canada, also suffered a massive ransom DDoS attack that lasted for weeks. The attack was attributed to the REvil ransomware hacking group that demanded $4.5 million to stop the attack.

The scope and nature of DDoS attacks are changing to become more regular and have more disruptive effects. Ransomware DDoS attacks have also been on the rise. In August, Cloudflare stated that it had stopped the largest DDoS attack in July. Cloudflare stated that the attempted attack issued 17.2 million requests per second, which was three times bigger than any DDoS attacks they had reported.