Operator of Botnet Used for DDoS and Password Spraying Attacks Arrested in Ukraine

A hacker alleged to be the creator and manager of a powerful botnet consisting of more than 100,000 devices has been arrested by law enforcement officers in Ukraine. The unnamed hacker was arrested at his home in Prykarpattia and computer equipment was seized that was being used to control the botnet.

The botnet was used by paying customers for a variety of attacks, including Distributed Denial of Service (DDoS) attacks, spamming, penetration tests to identify and exploit vulnerabilities in remote devices and systems, and brute force password spraying attacks on email accounts and websites. Botnets on this scale can be used for incredibly destructive attacks.

According to the Security Service of Ukraine (SSU), the hacker used private forums and Telegram to find and communicate with customers and was paid for the illegal activities through electronic platforms such as Webmoney. Webmoney is a Russian money transfer platform, but its use is banned in Ukraine. Law enforcement was able to locate the hacker as he used his real home address to set up his Webmoney account.

The hacker will be charged with creation for the purpose of use, dissemination and distribution of harmful software or hardware and impeding the work of electronic computing machines, which is a violation of Part 2 of Art. 361-1 of the Ukrainian Criminal Code.

The Russian cybersecurity firm Rostelecom-Solar recently announced that it has taken down part of an even larger botnet. The botnet – named Mēris – is believed to consist of around 200,000 enslaved devices. The Mēris botnet was used to attack a variety of targets, including the Russian Internet giant Yandex. In that attack, the web infrastructure of Yandex was hit with millions of HTTP requests. The attack was a record breaker, peaking at 21.8 million requests per second (RPS). With an RPS that high, the botnet was capable of overwhelming almost any infrastructure.

Assisted by the Solar JSOC CERT Center for Early Detection of Cyber ​​Threats, Rostelecom-Solar successfully prevented an attempt by the operators of the botnet to add a further 45,000 new devices to the botnet,which would have increased its power by around 20%. The firm was able to identify the location of the devices, most of which were located in Brazil, Ukraine, Indonesia, Poland, and India, and isolated them from the botnet.

Last month, the U.S. Department of Justice charged an individual for using the WireX Android botnet to conduct a DDoS attack on a multinational U.S. hotel chain. Izzet Mert Ozek, who is believed to reside in Turkey, is alleged to have used the botnet on the hotel’s booking system in August 2017. The WireX Android botnet is estimated to consist of more than 120,000 unique IP addresses. Ozek has been charged with one count of intentionally causing damage and if apprehended, faces up to 10 years in federal prison for the attack.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news