The dynamic of the Internet of Things shows us the daily progress of digitalization. More and more devices are connected to the Internet, providing users comfort and efficiency. The market is perpetually filled with new devices and the variety of functions attracts many users. Today, there is already a huge network of data, servers and connected intelligent devices – which represents a new, enormous target for cybercriminals thanks to the unaddressed security vulnerabilities of smart devices.

The malware Mirai took advantage of this weakness: In October 2016, this botnet virus became widely known for the first time thanks to the largest DDoS attack ever launched, which targeted the DNS provider “Dyn.” As a result, the websites and services of many international companies, including Amazon, Netflix and Spotify were unavailable for a long time. For businesses, this can mean a loss of millions. What exactly is the story behind this malware that exploits the weaknesses created by technological progress?

The origin of the Mega Botnet

2016 wasn’t the first time such an IoT botnet “hit” the market. According to independent security journalist Brian Krebs from, Mirai-like predecessors known as Bashlite, Gafgytm, QBot, Remaiten and Torlus have existed since 2014. The Botcode of Mirai was created from the improved codes of its forerunners and compiled by several developers. It was finalized by a group of hackers who joined forces in 2014 and started DDoS attacks on competing Minecraft servers. The group went by the pseudonym “lelddos,” using the Mirai Botnet to slow the servers or take them off the Internet, which cost their operators a lot of money.

Mirai has been designed to eliminate malware from already-infected IoT devices and eventually take it over itself. Affected devices, then look for other vulnerable devices to take over. Due to the growing number of IoT products controlled by Mirai, the botnet became more extensive, and hackers attempted larger targets. In September 2016, the French hosting company OVH suffered a DDoS attack with a total capacity of up to 1.5 terabits per second.

Shortly after that attack, one of the co-developers—Mirais—published the source code of the malware online under the name “Anna-Senpai.” Thus, the author enabled many hackers to copy and further develop the code. The release led to a rapid increase in imitators operating their own Mirai botnets. This eventually ended in an attack on Dyn’s server just a month later. Due to the amount of new variations of Mirai, tracing those responsible became much more difficult. But only a few weeks after that, the FBI tracked down three young Americans.

On December 5th,  2017, the hackers pleaded guilty in an Alaskan court to developing the malware and merging it into a botnet to harm companies and “other targets.” According to court documents, the cybercriminal group also planned to earn money with its own DDoS-as-a-Service offer and racketeering. To avoid a prison sentence, the 21- and 22-year-old hackers agreed to assist the FBI in solving complex cybercrime investigations. Nevertheless, the penalty included a 5-year suspended sentence, 2500 hours of community service and $127,000 in refunds. Although these criminal malware developers are now kept in check, the malware code still exists and can be reused, converted and improved by other hackers.

The Return of Mirai

In March 2019, security experts discovered a new type of Mirai, which is aimed primarily at IoT devices within companies. Cybercriminals expect this to increase their attack power even more as they gain access to greater bandwidth over corporate networks. The new Mirai version contains several more features, including 11 additional exploits, bringing the total number of exploits in the malware to 27. These additional features give the program an even larger attack surface. The malware spreads primarily through presentation systems, smart TVs, routers and IP cameras.
Companies are advised to change the credentials of their implemented IoT devices and to consider the security of these devices in their IT security strategy as well.

This development shows the uncertainty IoT devices face in the digitized world – and underscores the need to ensure their security for businesses and users. A study by the Berkeley School of Information and the Center for Long-Term Cybersecurity (CLTC) identified the total cost for consumers related to a hack of a smart device and the additional power consumption when that device is involved in a cyberattack: For example, the combined costs of the attack on Dyn in October 2016 amounted to around 115,000 dollars for IoT users. In a worst-case scenario, the calculator results in a sum of about 68 million dollars—or about 100 dollars per user—for a DDoS attack involving 600,000 IoT devices.

The rise of DDoS Attacks

The additional attack surface, which results from the very weakly protected Internet of Things, is also reflected in the increasing number of DDoS attacks on companies.

Three years ago, there were around 9,000 attacks per quarter on corporate infrastructure and servers in the German-speaking area, however, attacks increased year by year.
In the 1st quarter of 2019, there were already 11,177 DDoS attacks registered in Germany, Austria and Switzerland alone. But not only the number of attacks is on the upswing, the volume is also growing significantly. According to the Link11 DDoS Report Q1 2019, the largest DDoS attack in German-speaking countries reached a volume of 224 gigabits per second. With an increase of 70 percent compared with the same period last year, the average of the middle range of this quarter was already 3.8 Gbps. The Internet of Things is contributing significantly to the increased performance of attacks – a fact that underscores the critical importance of cybersecurity once again.