A 21-year-old man from
Vancouver, Wash. has pleaded guilty to federal hacking charges tied to his role
in operating the “Satori” botnet, a crime machine
powered by hacked Internet of Things (IoT) devices that was built to conduct
massive denial-of-service attacks targeting Internet service providers, online
gaming platforms and Web hosting companies.
Kenneth Currin Schuchman pleaded
guilty to one count of aiding and abetting computer intrusions. Between
July 2017 and October 2018, Schuchman was part of a conspiracy with at least
two other unnamed individuals to develop and use Satori in large scale online
attacks designed to flood their targets with so much junk Internet traffic that
the targets became unreachable by legitimate visitors.
According to his plea
agreement, Schuchman — who went by the online aliases “Nexus” and “Nexus-Zeta” — worked
with at least two other individuals to build and use the Satori botnet, which
harnessed the collective bandwidth of approximately 100,000 hacked IoT devices
by exploiting vulnerabilities in various wireless routers, digital video
recorders, Internet-connected security cameras, and fiber-optic networking
devices.
Throughout 2017 and into
2018, Schuchman worked with his co-conspirators — who used the nicknames “Vamp” and “Drake” — to further
develop Satori by identifying and exploiting additional security flaws in other
IoT systems.
Schuchman and his
accomplices gave new monikers to their IoT botnets with almost each new improvement,
rechristening their creations with names including “Okiru,”
and “Masuta,” and infecting up to 700,000 compromised
systems.
The plea agreement states that the object of the conspiracy was
to sell access to their botnets to those who wished to rent them for launching
attacks against others, although it’s not clear to what extent Schuchman and
his alleged co-conspirators succeeded in this regard.
Even after he was
indicted in connection with his activities in August 2018, Schuchman created a
new botnet variant while on supervised release. At the time, Schuchman and
Drake had something of a falling out, and Schuchman later
acknowledged using information gleaned by prosecutors to identify Drake’s home
address for the purposes of “swatting” him.
Swatting involves making false reports of
a potentially violent incident — usually a phony hostage situation, bomb threat
or murder — to prompt a heavily-armed police response to the target’s location.
According to his plea agreement, the swatting that Schuchman set in motion in
October 2018 resulted in “a substantial law enforcement response at Drake’s
residence.”
As noted in a September 2018 story,
Schuchman was not exactly skilled in the art of obscuring his real identity
online. For one thing, the domain name used as a control server to synchronize
the activities of the Satori botnet was registered to the email address
nexuczeta1337@gmail.com. That domain name was originally registered to a
“ZetaSec Inc.” and to a “Kenny Schuchman” in Vancouver, Wash.
People who operate IoT-based
botnets maintain and build up their pool of infected IoT systems by constantly
scanning the Internet for other vulnerable systems. Schuchman’s plea agreement
states that when he received abuse complaints related to his scanning
activities, he responded in his father’s identity.
“Schuchman
frequently used identification devices belonging to his father to further the
criminal scheme,” the plea agreement explains.
While Schuchman may be the
first person to plead guilty in connection with Satori and its progeny, he
appears to be hardly the most culpable. Multiple sources tell KrebsOnSecurity
that Schuchman’s co-conspirator Vamp is a U.K. resident who was principally
responsible for coding the Satori botnet, and as a minor was involved in the 2015 hack against U.K. phone and broadband provider TalkTalk.
Multiple sources also say Vamp
was principally responsible for the 2016 massive
denial-of-service attack that swamped Dyn — a company that provides
core Internet services for a host of big-name Web sites. On October 21, 2016,
an attack by a Mirai-based IoT botnet variant overwhelmed Dyn’s infrastructure,
causing outages at a number of top Internet destinations, including Twitter,
Spotify, Reddit and others.
The investigation into
Schuchman and his alleged co-conspirators is being run out the FBI field office
in Alaska, spearheaded by some of the same agents who helped track down and
ultimately secure guilty pleas from the
original co-authors of the Mirai botnet.
It remains to be seen what kind
of punishment a federal judge will hand down for Schuchman, who reportedly has
been diagnosed with Asperger Syndrome and autism. The maximum penalty for the single criminal count
to which he’s pleaded guilty is 10 years in prison and fines of up to $250,000.
However,
it seems likely his sentencing will fall well short of that maximum: Schuchman’s
plea deal states that he agreed to a recommended sentence “at the low end of
the guideline range as calculated and adopted by the court.”
If you would like IT security help for your organisation then we're here to help.
