3 plead guilty in cybercrime cases investigated by Alaska FBI
Anchorage-based FBI agents played a key role in bringing three people who operated a far-reaching online network of hacked devices to justice, federal prosecutors announced Wednesday.
The defendants – 21-year-old Paras Jha of Fanwood, N.J.; 20-year-old Josiah White of Washington, Penn.; and 21-year-old Dalton Norman of Metairie, La. – pleaded guilty last week to conspiring to violate the Computer Fraud and Abuse Act, U.S. Attorney for Alaska Bryan Schroder’s office said in a statement.
All three were charged with running the Mirai botnet in late 2016, which used compromised “Internet of Things” devices like wireless cameras, routers and digital video recorders to perform malicious tasks at the operators’ bidding.
“At its peak, Mirai consisted of hundreds of thousands of compromised devices,” federal officials wrote. “The defendants used the botnet to conduct a number of powerful distributed denial-of-service, or ‘DDoS’ attacks, which occur when multiple computers, acting in unison, flood the Internet connection of a targeted computer or computers.”
According to Wired magazine, Mirai was used to target Internet infrastructure company Dyn on Oct. 21, 2016 with “malicious requests from tens of millions of IP addresses.” The attack caused websites like Spotify, Reddit and The New York Times to be sporadically unavailable on the East Coast for hours.
By the fall of 2016, the defendants were no longer running Mirai, but prosecutors said Jha released the botnet’s source code online – leading to a surge of imitators created by other criminals.
Assistant U.S. Attorney Adam Alexander, who helped prosecute the case, said none of the defendants were directly charged in the botnet's October attacks on Dyn. He said they admitted they were motivated by the technical challenges of assembling Mirai, as well as "the desire for profit to monetize it by selling it to other criminals."
Jha and Norman also pleaded guilty to forming a separate botnet for the purposes of “click fraud,” generating revenue from advertisers for clicks on ads falsely attributed to human Internet users.
“From December 2016 to February 2017, the defendants successfully infected over 100,000 primarily U.S.-based computing devices, such as home Internet routers, with malicious software,” federal officials wrote. “That malware caused the hijacked home Internet routers and other devices to form a powerful botnet.”
Alexander said the defendants had agreed to "voluntarily abandon the proceeds of the criminal investigation," which are being held by the federal government pending the payment of restitution to victims.
Jha also pleaded guilty to charges from New Jersey related to a series of attacks on Rutgers University, which sporadically disabled websites used by students and faculty to communicate from November 2014 to September 2016. A 2015 story from NJ.com on the attacks said Rutgers spent at least $2 million on improving its cybersecurity in response, resulting in a 2.3 percent tuition hike for students that school year.
Alaska became involved in the case, Alexander said, because investigators found Alaskans whose devices had been hacked and used in the botnets. In addition, the Anchorage FBI office was uniquely suited to help break the case.
"We're fortunate to have agents here in Alaska with specialized training and experience in investigating complex cybercrimes," Alexander said.
Both Schroder and Marlin Ritzman, the special agent in charge of the FBI’s Anchorage office which investigated the case, emphasized the botnets’ potential harm to Alaskans in the statement.
“Our world has become increasingly digital, and increasingly complex,” Schroder said. “Cybercriminals are not concerned with borders between states or nations, but should be on notice that they will be held accountable in Alaska when they victimize Alaskans in order to perpetrate criminal schemes.”
Federal prosecutors based in Alaska and New Jersey are working on the cases, which involved assistance from an array of U.S. attorneys’ offices across the nation as well as police agencies in the United Kingdom and France.
The Department of Justice has an online tip sheet on protecting "Internet of Things" devices from hacking.
Daniella Rivera contributed information to this story.
Copyright 2017 KTVA. All rights reserved.