Hackers hired for year-long DDoS attack against man’s former employer

US federal prosecutors in Minnesota have charged a 46-year-old man with hiring a cyberhitman – well, technically, three hacking services – to launch a year-long campaign of distributed denial of service (DDoS) attacks on his former employer.

Prosecutors say that John Kelsey Gammell, 46, contacted seven DDoS services and paid monthly subscriptions to three of them in order to bring down Washburn Computer Group, a point-of-sale system repair company in Monticello, Minnesota. Between July 2015 and September 2016, Gammell also allegedly used the services to go after a slew of other targets, including the networks of the Minnesota Judicial Branch, Hennepin County, several banks and a few employment contracting companies he worked at.

According to the Star Tribune, Gammell rejected a plea deal when he appeared in a Minneapolis court last week. The deal would have resolved all charges and capped his possible prison sentence at a mandatory 15 to 17 years. The newspaper reports that a federal magistrate is reviewing motions to dismiss the case or suppress evidence.

In a criminal complaint filed in April 2017, FBI Special Agent Brian Behm said in a sworn affidavit that when Washburn first began experiencing shutdowns of multiple websites, server log files weren’t any help in finding the culprit. That’s because the IP addresses connected to the DDoS attack led back to a US-based virtual private network (VPN) that anonymized the true source of incoming internet access. Like many anonymizing services, the VPN didn’t maintain logging information to show who was using it, Behm explained.

But two taunting emails asking Washburn if the company had any “ongoing IT issues” that they needed help with – sent while the DDoS attacks were ongoing – were a whole lot easier to track. Google and Yahoo, both under grand jury subpoenas, coughed up the IP addresses associated with the email accounts that sent the jeers, which were accompanied by the image of a laughing mouse. The FBI says that the Gmail account and the Yahoo account that sent the messages were created with an IP address associated with Gammell’s home address and an AT&T cellphone number that pointed to Gammell as the subscriber.

A search warrant served on Google showed that between May 2015 and September 2016, Gammell allegedly showed interest in, or made purchases at, seven DDoS-for-hire sites: also known as “booters” or “stressers,” these sites sell monthly subscription fees for buyers to target DDoS attacks against IP addresses or websites of their choosing. You get what you pay for: the premium plans boost the duration and intensity of the attack.

Based on emails, Gammell allegedly had three favorite cyber goon squad services: cStress, vDOS and booter.xyz. Prosecutors say he shelled out about $235 to cstress.net, ranging from the basic “All Included” $19.99 service to the “Premium” service at $39.99. His monthly payments to the services went as high as $199.

cstress.net is offline, but Behm says he found an archived main page that shows that the “Premium” package could be used to “Stress Large Servers and Websites,” that it was capable of “Full Hour Stresses,” and that it provided “30Gbps of Dedicated Bandwidth” and “Unlimited Boots.”

For a criminal enterprise, it was all very cordial, all very professional. Behm says he found an email thanking Gammell for his purchase from another DDoS-for-hire service called inboot. In upgrading to “diamond” monthly membership at booter.xyz, Gammell allegedly praised the service and told his correspondent that he recommends it to others.

Why the persistence, and money spent, in allegedly plaguing a former employer? According to the criminal complaint, Gammell had worked at Washburn for 17 years and had left, under good terms, three and a half years ago. But a dispute boiled up over payment for training services Gammell had provided after he left the company.

According to the Star Tribune, Gammell’s attorney, Rachel Paulose, has argued that it wasn’t Gammell that attacked Washburn. No, it was the “cyberhit men,” she said: why not go after them?

The government has failed to charge a single one of those ‘cyberhitmen’ services, named and evidently well known to the government. Instead the government’s neglect has allowed the professional cyberhitmen for hire to skip off merrily into the night.

Funny thing about that: skipping off merrily into the night doesn’t exactly describe what happened to at least one of Gammell’s purported favorite hitmen services. “Getting busted by Israeli police” is more like it. Back in September 2016, two Israeli teenagers – the co-owners behind vDOS – had their service taken down by a massive hack, and the two 18-year-old men were arrested.

And all the evidence the FBI got from a known security researcher about vDOS? Toss it, Paulose says: the data could have been obtained through hacking.

The Washburn attacks were “essentially a prank on a dormant site not doing business,” she said.

The Star Tribune quoted this comeback from Assistant U.S. Attorney Timothy Rank:

Even if Mr. Gammell thinks it’s a prank, it’s a criminal prank.

Gammell is facing a charge of  “knowingly [causing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally [causing] damage without authorization, to a protected computer.”