scorecardresearch Skip to main content

Hackers used new type of malware in Internet attack

This photo shows Dyn, a New Hampshire internet service company. Jim Cole/Associated Press

Hackers temporarily blocked access to some of the world’s best-known websites on Friday by commandeering thousands of DVRs and other ordinary Web-enabled devices to swamp a New Hampshire company that directs global Internet traffic.

E-mail traffic was disrupted, and Twitter, Netflix, and music streaming service Spotify were among the sites hobbled when hackers hit Dyn Inc. at various points throughout the day. The little-known company plays a critical role: translating client domain names such as into the numerical addresses where they reside on the Internet. If users can’t contact Dyn’s servers, they can’t be connected to the site they are looking for.


The White House said the Department of Homeland Security was monitoring the situation. The outage spawned fears that online vandals are developing digital weapons that could take down large portions of the global computer network.

Starting at about 7 a.m. Eastern time Friday, the hackers launched a series of massive “distributed denial-of-service” or DDoS attacks on Dyn’s computers, the Manchester-based company said. A DDoS attack sends so much data to a computer system that it can no longer handle legitimate requests. As a result, Dyn said its domain name service, or DNS, bogged down, and users found it difficult or impossible to reach sites that rely on it.

(The Boston Globe, which uses the Dyn service, was unavailable to some readers, and its e-mail service was partially disrupted.)

DDoS attacks aren’t uncommon, but this one was especially large and affected a number of high-profile websites. The Dyn assault also raised alarm because of the way it was carried out.

Cybercriminals have traditionally relied on networks of personal computers infected with rogue programs called malware to wage denial-of-service attacks. But the Dyn incident featured a new kind of malicious software called Mirai, which infects “Internet of things” devices: commonplace electronic gadgets that connect to the global network. “It could be DVRs, could be thermostats, could be CCTV cameras, could be baby monitors,” said Kyle York, Dyn’s chief strategy officer.


There are billions of such devices worldwide, many of them wide open to attack and nearly impossible to rid of malware. So the rise of Mirai could herald a future in which countless everyday devices in homes and businesses could be used in acts of theft, vandalism, or terrorism.

“Not only did I expect it, but I expect a whole lot more of it,” said Brian Krebs, an Internet security journalist whose website was knocked offline last month by a Mirai attack.

The Associated Press reported on Friday evening that a group calling itself New World Hackers, which said it has members in Russia and China, posted a message on Twitter claiming responsibility for the attacks.

“We didn’t do this to attract federal agents, only test power,” two members who identified themselves as “Prophet” and “Zain” told an AP reporter via Twitter direct-message exchange. They said more than 10 members participated in the attack. It was not immediately possible to verify the claim.

Dyn, which was founded about 15 years ago by students at Worcester Polytechnic Institute, reported that service had been restored to normal by 9:20 a.m. But the attack resumed later and was finally brought under control around noon. The Washington Post reported that a third wave of the attack was resolved around 6 p.m.


Other Internet companies that use Dyn’s service were affected by blowback from the attack, including Comcast Corp. and Level 3 Communications Inc. In an interview posted on the company’s Twitter account, Level 3 chief security officer Dale Drew estimated that about 500,000 devices are presently infected with the Mirai malware, and that about 10 percent of that number were used to carry out the attack on Dyn. Drew added that other networks of tainted computers may have participated in the attack as well.

Drew also said that some DNS systems not operated by Dyn had come under fire as well. “We’re seeing the bad guy rotate through quite a few different DNS providers, trying to add some instability to the Internet,” he said.

Despite the claim of responsibility for the attack, it’s still not clear who carried it out. “The problem with DDoS attacks is that attribution is almost impossible,” said Dan York, DNS security program manager for the Internet Society, a group that sets technical standards for the Internet.

A motive for the online assault is equally obscure.

Krebs said he thinks the criminals plan to extort money from businesses by threatening to unleash Mirai on them unless they pay up. The attacks on his site and on Dyn are demonstrations of their power, he said. “They’re essentially calibrating their attack weapons.” It’s also an opportunity for revenge. Krebs and Dyn worked together on a report about vDOS, a company that conducts Internet attacks for hire.


But it’s also possible that the Friday attack was a dry run for a bigger, more severe Internet assault. Attacking a single DNS company can only do limited damage to the Internet, but simultaneous attacks on the biggest DNS companies, similar to Friday’s assault, could slow the entire global network to a crawl.

Dan York of the Internet Society doubts such an attack would work. “It would be extremely difficult for an attacker to take down the whole system,” he said.

But Roland Dobbins, principal engineer at computer security company Arbor Networks Inc. of Burlington, said, “It is absolutely a possibility . . . the Internet is very brittle and fragile.”

Hiawatha Bray can be reached at Curt Woodward can be reached at