Poor security is another clue that young novices are operating botnets. The Owari authors left their command and control (C&C) MySQL database wide open (port 3306), “protected” with both the username and password of “root.” Control of IoT devices is a highly competitive market, where rivals commonly DDoS each other. In one case, a competing attacker took over 29 IoT bots that were offering DDoS-for-hire services by brute forcing weak usernames and passwords—the very same method attackers use to compromise IoT devices from which they launch the DDoS attacks. It’s a novice mistake not to protect yourself from the very attacks you launch.

One 13-year-old bragged about building several IoT bots, expressing little concern about prosecution. He’s right; it’s unlikely he’ll get caught, and if he did, the resulting hacker celebrity almost guarantees a high paying cybersecurity job down the road. Even if the risk of indictment were high, the types of sentences handed out to cyber criminals (over the age of 18) is so laughable, it’s not a deterrent. The Mirai authors were prosecuted in both Alaska and New Jersey. In both cases, they were handed out 2,500 hours of “community service,” defined in the sentencing memorandum as “continued work with the FBI on cybercrime and cybersecurity matters.” In Alaska, they received no jail time, 5 years’ probation, and $127,000 in fines. In New Jersey, they were sentenced to 6 months house arrest, and $8.6 million in fines (based on Rutgers incident response costs from their DDoS attacks). The prosecutors in the Alaska case actually argued favorably for one of the defendants, stating that jail would “disrupt a remarkable transformation,” considering he had turned over a new leaf, was attending school again, and had landed a new job at a cybersecurity company.

APTs and Nation States

Building a ThingBot