By Elise Thomas is a researcher at ASPI’s International Cyber Policy Centre|
A hacker has been jailed in the UK over his role in a massive cyberattack in Liberia in 2016, in a case which is likely to be a sign of things to come as hackers for hire become ever more available—and affordable.
Daniel Kaye, a 30-year-old dual UK–Israeli citizen and self-taught hacker, pleaded guilty and was sentenced to two years and eight months in prison for perpetrating a months-long cyberattack on a Liberian telecommunications company. Kaye has previously been charged and received a suspended sentence in Germany over a related hacking operation which affected German internet users.
Kaye used a method known as distributed denial of service (DDoS), which essentially works by swamping a system with so many requests that it crashes. In order to generate a large enough number of requests, Kaye took control of hundreds of thousands of internet-connected devices using a variant of the Mirai strain of malware. Mirai was used by another hacker in October 2016 to commit the largest ever DDoS attack, which took down a major chunk of the US internet. The malware infects vast numbers of poorly secured devices, including everything from routers to smart fridges, and strings them together into a ‘botnet’ that can be centrally directed to attack a single target—often without the owners of the infected devices being any the wiser.
Kaye’s botnet was not as big as the one used in the October 2016 attack on the US, but it was still one of the largest ever amassed. In November 2016, he began offering his botnet up for rent under his hacker nom de guerre, BestBuy.
By this stage, Kaye had already been approached by a senior executive at Cellcom, a Liberian telecommunications company, and hired at a rate of £7,800 (A$14,075) a month to attack rival telco Lonestar. According to the UK’s National Crime Agency, the November 2016 attacks were so large that they affected internet access across Liberia and caused millions of dollars’ worth of damage.
Then Kaye got cocky. Deciding his botnet wasn’t big enough, he attempted to take control of hundreds of thousands of Deutsche Telekom internet routers. In the process, he reportedly knocked more than 900,000 German users offline, including Cologne’s main sewage facility. Then in January 2017, his botnet launched attacks against three British banks (he later said that someone else had used his botnet for the attack and UK prosecutors dropped those charges). Kaye again attempted to take control of routers, this time in the UK. He knocked 100,000 British internet users offline and drew the attention of UK authorities in the process.
Kaye was arrested in February 2017 in London’s Luton airport. He was extradited to Germany, where he received a suspended sentence for knocking out the Deutsche Telekom routers. He was then passed back to UK authorities and convicted there. The head of the NCA’s National Cyber Crimes Unit, Mike Hulett, described Kaye as ‘one of the most significant cyber criminals arrested in the UK’.
Beyond Kaye’s individual conviction, however, this case is likely to be a sign of things to come. It incorporates (at least) three trends that will become increasingly important in the coming years, not only for policing cybercrime, but for national security and defence.
The first is the growing industry of hackers and hacking tools for hire. Hacking is increasingly available as a paid service and the cost is dropping all the time. The employee at Cellcom was able to hire Kaye for $14,000 a month to do millions in damage to a rival. Kaye’s services were affordable partly because he was using a variant of someone else’s malware, Mirai, and didn’t need to create bespoke cyber tools for the attack.
Tools which were previously accessible only to governments or high-level hackers are increasingly becoming available in off-the-shelf, relatively easy to use formats, meaning that hackers don’t need to be as skilled to operate them and therefore can’t charge as much for their services. A 2018 joint operation involving Europol and 11 countries including Australia took down an entire online marketplace geared specifically towards hiring out botnets for DDoS attacks.
Relatively low prices have made hiring a hacker a financially viable option for a range of actors, including organised criminals, political activists and countries without their own offensive cyber capabilities. For security and intelligence agencies, the lowered bar will radically change the landscape of potential cyber threats.
Second, the sheer size of the botnet which Kaye was able to assemble is an ominous sign for the future. More and more of the devices in our daily lives are connected to the internet, from our washing machines to our toothbrushes. They’re often poorly secured and highly vulnerable to attackers, and can be taken over without alerting the owner. Kaye’s original botnet was made up primarily of infected Chinese-made Dahua webcams.
The proliferation of poorly secured internet-connected devices enables the assembly of ever larger botnets, which in turn allows criminals to launch ever more powerful DDoS attacks. Kaye’s 2016 botnet was made up of hundreds of thousands of devices, but today single botnets are commandeering millions of infected computers. The phenomenal increase in scale has serious implications for the ability of governments, agencies and corporations to defend their systems against sustained DDoS attacks.
Third, Kaye’s case demonstrates the incredible capacity of poorly controlled cyberattacks to cause global collateral damage. What began as a case of corporate sabotage in Liberia ultimately knocked hundreds of thousands of people, businesses and at least one piece of major infrastructure offline.
The devastating NotPetya ransomware attack in 2017 is another example. In that case, malware allegedly used by Russia to attack Ukraine escaped and spread, causing hundreds of millions of dollars in damage around the world and impacting critical services including hospitals. As the power of the available cyber tools grows and the skill and cost required to operate them reduce, the risk of catastrophic unintended consequences from DDoS attacks will only become more severe.
Kaye’s prosecution is a success for international collaboration between law enforcement agencies on cybercrime, but it should also be taken as a warning sign. The growing marketplace of hackers for hire, combined with increasingly powerful and easy-to-use forms of malware, has major implications for the future of cybercrime, national security and counterterrorism.
By Elise Thomas is a researcher at ASPI’s International Cyber Policy Centre. Image courtesy of Clem Onojeghuo on Unsplash.