The same deadly malware behind the historic internet outage in the US in October seems to have been used to target the African nation of Liberia over the past week through a series of short attacks, temporarily taking the country offline . IT security researcher Kevin Beaumont wrote on Thursday (3 November) that these were distributed denial of service (DDoS) attacks. They harnessed a network of compromised computers to create a Mirai botnet, which was designed to flood its target with fake traffic and cripple its servers.
In October, a massive botnet powered by the Mirai malware targeted DNS provider Dyn to take down a portion of the internet in the US and parts of Europe, preventing users from accessing multiple major websites including Twitter, Netflix, Reddit and others. Beaumont said that the same cyberweapon was used to temporarily take down Liberia's internet as well using a Mirai botnet known as Botnet 14.
"Liberia has one internet cable, installed in 2011, which provides a single point of failure for internet access," Beaumont wrote. "From monitoring we can see websites hosted in country going offline during the attacks... The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state."
Dale Drew, chief security officer at Level 3 Communications also confirmed to ZDNet that it had "witnessed an attack against a telecommunications company in Liberia" powered by the Mirai botnet.
An employee at one Liberian mobile service provider reportedly confirmed the attacks saying they were already affecting business in the small African country, PC World reports.
Beaumont noted that one transit provider confirmed the short, intermittent attacks were over 500Gbps in size, adding that Botnet 14 is "extremely successful at attacking things."
"It is the largest of the Mirai botnets and the domain controlling it predates the attacks on Dyn," Beaumont wrote. "The capacity makes it one of the biggest DDoS botnets ever seen. Given the volume of traffic, it appears to be owned by the actor which attacked Dyn."
The October attack targeting Dyn measured 1.1tbps and was powered by thousands of infected IoT devices such as web cameras and digital recorders.
Earlier in October, the source code for the Mirai malware was leaked by a hacker group to the public. Security researcher Brian Krebs warned that the dangerous leak would "virtually guarantee that the internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices."
While it is still not clear who was responsible for the Liberian attacks, Beaumont noted that the attacks are likely a test.
The cyberattacks targeting Liberia were also tweeted by a Twitter account called @MiraiAttacks which monitors and tweets about attacks as they are occurring. After mentioning the Liberian attack, Beaumont then noticed that the Twitter account seemed to name him in a subsequent post, leading him to dub the botnet "Shadows Kill."
"When I started to see messages in the attack commands clearly written towards those monitoring, it felt really strange," Beaumont told Quartz. "When they mentioned what I presume to be me, it was clear they were reading my tweets, and that was... interesting. I believe they are trying to silence research."