Three men have pleaded guilty to federal hacking charges connected to developing the malware at the center of a massive cyberattack that crippled internet access in the U.S. and Europe late last year.
Paras Jha, Josiah White and Dalton Norman have each pleaded guilty to violating the Computer Fraud and Abuse Act in relation to their roles operating two botnets, or networks of compromised computers, including the Mirai botnet that encompassed hundreds of thousands of infected internet-connected devices and helped cripple websites such as Netflix and Twitter, the Department of Justice announced Wednesday.
Mirai emerged in late 2016 and was the first significant botnet to target IoT, or "Internet of Things" devices -- non-traditional devices that are connected to the internet, including surveillance cameras and digital video recorders, Acting Deputy Assistant Attorney General Richard Downing told reporters on a conference call.
"At its peak it was one of the largest IoT botnets ever recorded," ultimately encompassing over 300,000 devices, said Mr. Downing, according to charging documents unsealed Wednesday.
Federal prosecutors said cybercriminals including the defendants harnessed IoT devices infected with Mirai and subsequently used them to conduct distributed denial-of-service (DDoS) attacks -- a rudimentary but effective method of disrupting websites by overloading them illegitimate internet traffic.
The defendants exploited Mirai for their own purposes starting in the summer of 2016, using their botnet to knock down websites and leasing it any times for financial gain.
Jha, a 20-year-old Rutgers University student and Mirai's main author, "conspired to conduct DDoS attacks against websites and web hosting companies located in the United States and abroad" and "demanded payment in exchange for halting the attack," according to court documents.
He published its source code online that December, and other cybercriminals ultimately used that code to conduct DDoS attacks of their own, according to his plea agreement.
Mirai was notably used in Dec. 2016 to wage an unprecedented DDoS attack against Dyn, a New Hampshire-based internet company, that disrupted access to websites including Twitter, CNN, The Guardian, Netflix, Reddit and others in the U.S. and Europe.
The Dyn assault happened after Mirai's source code was published, and the individuals identified Wednesday have not been charged in connection with that particularly DDoS attack.
Jha and his co-defendants -- White, 20, and Normal, 21 -- pleaded guilty on Dec. 8 to two separate criminal informations in Alaska District Court related to Mirai and another "clickfraud" botnet they admittedly used for financial gain, the Justice Department said Wednesday.
Jha separately pleaded guilty Wednesday in New Jersey District Court in connection with waging DDoS attacks that disrupted computer systems at Rutgers University last year.
All three defendants are free pending sentencing at a later date, Mr. Downing told reporters.
© 2018 Washington Times under contract with NewsEdge/Acquire Media. All rights reserved.
Image credit: iStock/Artist's concept.