One of the big internet stories of 2016 ended up in an Anchorage courtroom last Friday

Garrett Graff reports at Wired,

THE MOST DRAMATIC cybersecurity story of 2016 came to a quiet conclusion Friday in an Anchorage courtroom, as three young American computer savants pleaded guilty to masterminding an unprecedented botnet—powered by unsecured internet-of-things devices like security cameras and wireless routers—that unleashed sweeping attacks on key internet services around the globe last fall. What drove them wasn’t anarchist politics or shadowy ties to a nation-state. It was Minecraft.

...As the 2016 US presidential election drew near, fears began to mount that the so-called Mirai botnet might be the work of a nation-state practicing for an attack that would cripple the country as voters went to the polls. The truth, as made clear in that Alaskan courtroom Friday—and unsealed by the Justice Department on Wednesday—was even stranger: The brains behind Mirai were a 21-year-old Rutgers college student from suburban New Jersey and his two college-age friends from outside Pittsburgh and New Orleans. All three—Paras Jha, Josiah White, and Dalton Norman, respectively—admitted their role in creating and launching Mirai into the world.

Originally, prosecutors say, the defendants hadn’t intended to bring down the internet—they had been trying to gain an advantage in the computer game Minecraft.

“They didn’t realize the power they were unleashing,” says FBI supervisory special agent Bill Walton. "This was the Manhattan Project."

...THE QUESTION WOULD lead the investigation deep into one of the internet’s strangest worlds, a $27 game with an online population of registered users—122 million—larger than the entire country of Egypt. Industry analysts report 55 million people play Minecraft each month, with as many as a million online at any given time.

The game, a three-dimensional sandbox with no particular goals, allows players to construct entire worlds by “mining” and building with cartoonish pixelated blocks. Its comparatively basic visual appeal—it has more in common with the first-generation videogames of the 1970s and 1980s than it does the polygon-intense lushness of Halo or Assassin’s Creed—belies a depth of imaginative exploration and experimentat...ion that has propelled it to be the second-best-selling videogame ever, behind only Tetris. The game and its virtual worlds were acquired by Microsoft in 2014 as part of a deal worth nearly $2.5 billion, and it has spawned numerous fan sites, explanatory wikis, and YouTube tutorials—even a real-life collection of Minecraft-themed Lego bricks.

...The huge income from successful servers had also spawned a mini cottage industry of launching DDoS attacks on competitors’ servers, in an attempt to woo away players frustrated at a slow connection. (There are even YouTube tutorials specifically aimed at teaching Minecraft DDoS, and free DDoS tools available at Github.) Similarly, Minecraft DDoS-mitigation services have sprung up as a way to protect a host’s server investment.

This was something new. Whereas gamers had become familiar with one-off DDoS attacks by booter services, the idea of DDoS as a business model for server hosts was startling. “This was a calculated business decision to shut down a competitor,” Peterson says.

“They just got greedy—they thought, ‘If we can knock off our competitors, we can corner the market on both servers and mitigation,’” Walton says.

As the attacks spread, the FBI worked with private-industry researchers to develop tools that allowed them to watch DDoS attacks as they unfolded, and track where the hijacked traffic was being directed—the online equivalent of the Shotspotter system that urban police departments use to detect the location of gunshots and dispatch themselves toward trouble. With the new tools, the FBI and private industry were able to see a looming DDoS attack unfold and help mitigate it in real time. “We really depended on the generosity of the private sector,” Peterson says.

“The concept of unsecured devices to be repurposed by bad guys to do bad things, that’s always been there,” says Paine, “but the sheer scale of insecure modems, DVRs, and webcams in combination with how horribly insecure they were as device really did a present a different kind of challenge.”

The Dyn attack catapulted Mirai to the front pages—and brought immense national pressure down on the agents chasing the case. Coming just weeks before the presidential election—one in which US intelligence officials had already warned about attempts by Russia to interfere—the Dyn and Mirai attacks led officials to worry that Mirai could be harnessed to affect voting and media coverage of the election. The FBI team scrambled for a week afterward with private-industry partners to secure critical online infrastructure and ensure that a botnet DDoS couldn’t disrupt Election Day.

That one of the big internet stories of 2016 would end up in an Anchorage courtroom last Friday—guided by assistant US attorney Adam Alexander to a guilty plea barely a year after the original offense, a remarkably rapid pace for cybercrimes—was a signal moment itself, marking an important maturation in the FBI’s national approach to cybercrimes.

Until recently, nearly all of the FBI’s major cybercrime prosecutions came out of just a handful of offices like Washington, New York, Pittsburgh, and Atlanta. Now, though, an increasing number of offices are gaining the sophistication and understanding to piece together time-consuming and technically complex internet cases.

What really surprised investigators, though, was that once they had Jha, White, and Norman in their sights, they discovered that the creators of Mirai had already found a new use for their powerful botnet: They’d given up DDoS attacks for something lower-profile—but also lucrative.

They were using their botnet to run an elaborate click-fraud scheme—directing about 100,000 compromised IoT devices, mostly home routers and modems, to visit advertising links en masse, making it appear that they were regular computer users. They were making thousands of dollars a month defrauding US and European advertisers, entirely off the radar, with no one the wiser. It was, as far as investigators could tell, a groundbreaking business model for an IoT botnet.

Read more here.