“BestBuy” Hacker Pleads Guilty

On Friday, 21 July 2017, a 29-year-old man pleaded guilty to hijacking over 900,000 routers from Deutsche Telekom’s network towards the end of 2016. The attack which leveraged a customized version of the Mirai malware according to the hacker accidentally denied many Germans and German companies without access to the internet impacting on their ability to conduct business. The hacker has not been named by authorities but has gone by the nickname “Spiderman”, “BestBuy”, and “Popopret”. The hacker may be sentenced to 10 years in prison, with sentencing scheduled for 28 July 2017.

Admissions in Court

While during court proceeding the 29-year-old accused admitted that it was never his intention to cause the routers to stop functioning completely. Rather it was his intention to use the hijacked routers as pawns in a DDoS attack. Accidently his version of Mirai shut down routers rather than assisting in executing the DDoS attack he had planned. A week later he did exactly the same thing, this time in the UK by accidentally shutting down 100,000 routers again denying users the ability to use the internet disrupting businesses. He has not been charged for the shutting down of the UK routers as of yet. The man was arrested in February of this year by UK police at a London airport and extradited to Germany to faces the charges brought forward by German police stationed in Cologne who also issued the international arrest warrant.

The man also admitted in court that he was hired by a Liberian ISP to carry out an attack against the ISP’s competitors. For the hackers services, he was to be paid 10,000 USD. The hijacking of the routers was intended to provide firepower for the DDoS botnet. The arrest of “BestBuy” can be seen as a feather in the cap of international law enforcement agencies. The hacker became synonymous with the criminal underground for coding and selling the GovRAT malware which was used to hack several US government agencies. In InfoArmor’s analysis of GovRAT attacks once becoming available for purchase stated that:

In November 2015, InfoArmor identified the GovRAT malware that possessed advanced cyber espionage functionalities and documented these findings in the GovRAT Intelligence Report. Research indicated that GovRAT and the bad actors involved were targeting government and military assets. InfoArmor alerted the identified agencies and targets in order to prevent data exfiltration and to collect actual and current IOCs. In mid-May 2016, the primary actor changed his nickname to “popopret” after being profiled by InfoArmor. During this time, his activities were combined with targeted attacks on US government resources, along with active data exfiltration from hacked Web resources with a sizeable number of federal employee contacts. Based on operatively-sourced information and data breach intelligence, the threat actor is working with a highly sophisticated group of cyber criminals that are selling stolen and fake digital certificates for mobile and PC-based malware code-signing used to bypass modern AV solutions for other possible APT campaigns.

Selling the source code for GovRAT was earning “BestBuy” between 1,000 USD and 6,000 USD depending on the package purchased by the threat actor. From this initially, a step towards notoriety it became clear to researchers and investigators that “BestBuy” had developed profitable links with the criminal underworld.

Possible Identity

While German authorities have not disclosed the hacker’s identity, investigative journalist Brian Krebs published an article naming Daniel Kaye, a UK citizen, as “BestBuy” and by default the hacker behind GovRAT. Within the article published by Krebs more than a few numbers of clues were put together in order to provide the identity of the hacker. Daniel Kaye is yet to confirm or deny the allegations and has not replied to multiple emails sent to him on a number of email addresses connected to him.

"bestbuy" hacker pleads guilty

BleepingComputer published the following timeline detailing the hack and subsequent arrest of “BestBuy”:

Early September 2016 - original Mirai IoT malware spotted online
Late September 2016 - a Mirai botnet was used to DDoS the blog of infosec investigative journalist Brian Krebs and the infrastructure of French hosting provider OVH
Early October 2016 - hacker Anna-senpai releases the source code of the Mirai malware online on HackForums
Early November 2016 - BestBuy starts advertising his DDoS-for-hire services, which utilize a massive botnet of 400,000 Mirai-infected hosts
Early November 2016 - a Mirai botnet attacks some Liberian ISPs
Late November 2016 - a buggy version of the Mirai malware causes 900,000 Deutsche Telekom routers to go offline in Germany
Early December 2016 - another buggy version of Mirai causes over 100,000 routers to go offline in the UK. Routers belonged to UK Postal Office, TalkTalk, and Kcom ISPs.
Late February 2017 - UK police arrest hacker BestBuy
Late July 2017 - BestBuy pleads guilty in a German court

A new trend develops

Researchers at Tripwire believe that although the Deutsche Telekom hack was a failure it may set the standard for a new trend of hacks leveraging Mirai. Mirai was seen as traditionally a tool to randomly guess passwords. In this instance, Mirai was proved to be a valuable tool to unleash an unprecedented attack on vulnerable Internet of Things devices that cannot be patched. Researchers at Shodan believe that the number of such vulnerable devices could run into the millions. Tripwire, as well as numerous other security specialists, have suggested vendors need to become more responsible in auditing source code used in their products. While manufacturers have looked to maximize profits by using open source code, this may result in a massive loss of profits further down the line for manufacturers.