A 21-year-old Washington man has pleaded guilty to creating botnets that converted hundreds of thousands of routers, cameras, and other Internet-facing devices into money-making denial-of-service fleets that could knock out entire Web hosting companies.
Kenneth Currin Schuchman of Vancouver, Washington, admitted in federal court documents on Tuesday that he and two other co-conspirators operated Sartori and at least two other botnets that collectively enslaved more than 800,000 Internet-of-Things devices. They then used those botnets to sell denial-of-service attacks that customers could order. Last October, while on supervisory release after being indicted for those crimes, Schuchman created a new botnet and also arranged a swatting attack on one of his co-conspirators, the plea agreement, which is signed by the hacker, said.
The crime outlined in the court documents started with the advent in late 2016 of Mirai, a botnet that changed the DDoS paradigm by capitalizing on two salient features of IoT devices: their sheer numbers and their notoriously bad security. Mirai scanned the Internet for devices that were protected by an easy-to-guess default password. When the botnet found one, it corralled it into a botnet that could overwhelm even large targets with more junk traffic than they could handle.
Within a few weeks, Mirai was producing record-setting DDoS attacks, one of which took out security site KrebsOnSecurity for days. In short order, the Mirai source code was openly published in an act that made it easy to spin up DIY clones of Mirai.
Schuchman used the Mirai source code to create a new botnet that quickly infected 100,000 routers. Schuchman, the plea deal said, bragged that the botnet allowed him and his co-conspirators to compromise 32,000 devices belonging to a large Canadian ISP, a feat he claimed allowed him to DDoS targets with bandwidth of an astounding 1 terabit per second. The secret to its success: Sartori, as the botnet was christened, exploited security vulnerabilities—some of which were zero-days—in infected devices, even when they were protected by strong passwords.
According to Tuesday’s plea deal, Schuchman used the monikers “Nexus” and “NexusZeta” to converse with co-conspirators using the handles Vamp and Drake. The trio’s goal was to improve upon Satori and build their own DDoS franchise. The results were Okiru, which exploited vulnerabilities in the Goahead family of surveillance cameras, and Masuta, which infected as many as 700,000 nodes by exploiting vulnerable Huawei and Gigabit Passive Optical Network (GPON) fiber-optic networking devices.
The plea agreement stated:
Logs during the Masuta time period depict a large number of attacks launched at the end of November by SCHUCHMAN, Drake, and others, including paying customers of the criminal botnet scheme. At this time, SCHUCHMAN also operated his own distinct DDoS botnet which he utilized to attack IP addresses associated with ProxyPipe. At the same time, SCHUCHMAN was also actively scanning the internet for vulnerable telnet devices for the purpose of identifying additional devices to incorporate into his active botnets. When SCHUCHMAN received abuse complaints related to the scanning, he responded in his father’s identity. SCHUCHMAN frequently used identification devices belonging to his father to further the criminal scheme.
It wasn’t hard for authorities to track down the real-world identity tied to Nexus and NexusZeta. He was indicted last August, but even then, his criminal conduct didn’t end. The plea agreement states:
SCHUCHMAN went so far as to create a new Qbot DDoS botnet variant on or about October 2018 while on supervised release after having been charged by indictment with creating and deploying DDoS botnets. SCHUCHMAN also used information gleaned from discovery in this matter to identify the whereabouts of his co-conspirator Drake for the purpose of facilitating a “swatting” attack that involved a fake 911 call alleging a hostage incident at Drake’s residence, triggering a substantial law enforcement response in October 2018.
Schuchman pleaded guilty to one count of aiding and abetting computer intrusions. He faces a maximum penalty of 10 years in prison and $250,000 in fines, but the recommended sentence agreed to by prosecutors calls for penalties “at the low end of the guideline range.” The Daily Beast reports that Schuchman has Asperger’s syndrome, a condition that may also influence the judge hearing his case. Schuchman’s sentencing hearing is scheduled for November.