The Cyber Threat: Dyn Cyber Attack Highlights Internet of Things Hacking

Clapper says multi-national hacker group to blame

cyber computer
A system control center operator sits at his computer workstation at an AEP Transmission Operations Center in New Albany, Ohio / AP
October 24, 2016

A major cyber attack that disrupted Internet service for major users like Twitter and Amazon in parts of the United States on Friday was the first robot-based digital assault using the Internet of Things—millions of linked devices operating in concert.

The bad news from the outage is that cyber security analysts are predicting the cyber attack was likely first of many large-scale "distributed denial of service" cyber attacks, or DDoS—strikes that target internet service rather than seek to steal data.

Director of National Intelligence James Clapper told me the cyber attack on Dyn, an Internet server farm in New Hampshire, was the work of a multi-national hacker group. During a brief encounter during a banquet reception Saturday night Clapper did not elaborate, but other sources said a nation-state like China or Russia is not suspected at this point in the investigation.

A claim of responsibility was issued by a pro-Wikileaks group calling itself New World Hackers. The group tweeted Oct. 22 that "we're done hacking and have considered retirement." The group said it removed botnets from servers and disposed of them but noted "we may still hang around." Its claim of responsibility could not be verified.

Here's what happened. Around 7:00 a.m. Eastern Time, Dyn first detected it was under cyber assault from a major DDoS that was unlike others that had taken place in the past. The attack disrupted service on the east coast to some of the biggest users on the Internet, including Twitter, Paypal, Spotify, Amazon AWS, Amazon Ads, and Reddit. I first noticed my Twitter feed was down around 8:30 a.m.

Dyn was able to restore service some two hours later during what the company called a "historic attack." But the company was then hit by a second wave around 12:00 noon, and this effort was not limited to its domestic U.S. servers. The attack impacted overseas equipment that handled Internet traffic. Service was restored by 1:00 p.m. A third attack was not successful in disrupting service, according to a Dyn statement.

The monitoring site showed that during the height of the outages, large sections of Dyn's users in the eastern, southwest, and western United States were disrupted.


"At this point we know this was a sophisticated, highly distributed attack involving tens of millions of IP addresses," said Kyle York, Dyn's chief strategy officer, adding that a forensic investigation is under way to determine the exact cause.

"The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and Internet locations," York said in a statement.

The Homeland Security Department seems to have been caught off guard by the attack. While Homeland Security Secretary Jeh Johnson said in a statement Monday that Friday's cyber attack appears to have been thwarted, he added that the department is working "to develop a set of strategic principles for securing the Internet of Things" for release in the coming weeks.

Both Johnson and York, the Dyn strategy officer, said analysis of the cyber attack showed the hackers used a malicious software called Mirai that was only recently released into the open on the internet, increasing the risk that the malware will be used again.

"We observed tens of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack," York said.

Mirai is a botnet code that takes control of devices used on what is called the Internet of Things—large numbers of electronic devices not directly connected to computers but all networked through the internet. The devices include webcams, security cameras, DVRs, smart TVs, routers, and similar devices.

The compromised devices are used mainly by home users and small businesses and often lack security capabilities that could prevent malware infection. Security companies also are taking steps to identify hijacked devices and disrupt the Mirai command and control system used in attacks, although the process of identifying the dangerous devices could take months or even years.

A website set up to track Mirai command and control domains and addresses showed that some of the attacks originated from Internet addresses in Moldova, Denmark, Germany, Russia, and China.

Security analysts disputed Dyn's claim that tens of millions of devices were part of the attack and said a more likely cause of the temporary outage was the use of between 50,000 and 100,000 hijacked devices.

One analyst said the Mirai botnet in the Friday attack used what was called "SYN flooding"—one of the more primitive forms of DDoS attack that does not require a high degree of sophistication.

Without getting too technical, the servers used by Dyn and similar firms translate human-readable site names—like ""—into numerical Internet addresses that allow users to access the sites. If this process is broken, as occurred Friday, users are blocked from reaching websites affected by the breakage. Email also will be disrupted.

Dyn servers crashed after receiving huge numbers of spoofed requests from the Mirai malware operating from the Internet of Things devices. The flood of electronic requests exceeded the servers' capacity to process the requests.

The FBI is conducting an investigation into the hacking.

"The number and type of attacks, the duration, the scale, and the complexity of these attacks are all on the rise," York said.

A Dyn spokesman did not respond when asked why the company, the largest of its kind, was unprepared for the DDoS attack.

The security firm SANS Technology Institute said defending against the new Mirai malware will be difficult for both small and large Internet companies and noted that the botnet can be used to attack web servers in addition to the types of service offered by Dyn

"At this point, there is no bullet proof defense against these attacks," SANS stated. "A temporary outage can likely not be avoided." The best solution is for companies and others vulnerable to the Internet of Things attacks to employ multiple domain name server (DNS) providers.

Security analysts told me the dangers of more attacks like the Dyn outage are likely.

The hackers achieved their goal of impacting large, well-known Internet sites like Twitter, a success that has created new fears of additional Mirai-based cyber attacks. A very real danger is that even more significant targets are vulnerable and will be struck in the future, including the networks used by airlines and other transportation systems, government sites, financial institutions, and other critical infrastructure.

The attack represents a new phase in information age digital warfare, and a danger that is likely to increase as both nation states and criminal hacker groups step up attacks through the Internet of Things.

The Cyber Threat column will be co-published on Flash//CRITIC Cyber Threat News at