A 20 year-old man has been indicted for computer crimes by a federal court in Alaska. Evidence suggests that he could be linked to the Satori botnet that exploited a previously unknown bug in a Huawei router. If so, one of the most virulent botnets in recent times might have been engineered not by a sophisticated organized criminal or nation state actor, but by a relatively inexperienced dabbler who happened across a zero-day vulnerability.
Kenneth Currin Schuchman of Vancouver, Washington, has been indicted in an Alaskan federal court on two charges. Firstly, from August through November 2017, he allegedly:
Knowingly caused the transmission of a program, information, code, and command, and, as a result of such conduct, intentionally caused damage without authorization to protected computers; the offense caused damage affecting 10 or more protected computers during a 1-year period.
The second charge mirrors the first but focuses on a specific unnamed victim. Both of these offenses happened in Alaska, the indictment alleges.
Possible Satori link
Reporting by the Daily Beast speculates that Schuchman may have created the Satori botnet. This botnet, also tracked as Okiru, was identified in the wild on November 23 2017 exploiting a zero-day vulnerability in Huawei HG532 routers.
The person responsible for the Satori botnet went by the online handle Nexus Zeta. One security researcher on Twitter had identified a botnet binary calling itself ‘Satori’ in July 2017, three weeks after the registration of the nexusiotsolutions.net domain. A Twitter user called Nexus_Zeta responded that this was a test, based on the Mirai source code.
@michalmalik That was only ever up.as a test. And it is based off mirai source fyi.—
Nexus Zeta (@nexus_zeta) July 18, 2017
Two days earlier Nexus_Zeta also said:
@Jihadi4Potus Why do you all still use Mirai. You're all getting botkilled by my bot so idk why people bother—
Nexus Zeta (@nexus_zeta) July 16, 2017
A member of the Hack Forums hacking community who joined in 2015 and also went by the name Nexus Zeta seemed surprisingly inexperienced. On November 22 2017, that person posted a request to the forum::
hello, im looking for someone to help me compile the mirai botnet, i heard all you have to do is compile it and you have access to 1 terabit per second so please help me setup a mirai tel-net botnet
A day later, security researchers from Check Point noticed activity related to the previously unknown Huawei vulnerability, dubbing it Satori.
Satori was a variant of the Mirai botnet that originally infected various IoT devices and disrupted DNS services in October 2016. During its initial infection phase, Satori simply looked for more targets to infect, suggesting that its creator was expanding the base of infected machines as quickly as possible. It infected over 260,000 IP addresses in just 12 hours, according to researchers who analysed its activities.
Then, in January 2018, a variant called Satori.Coin.Robber started scanning for machines mining Ethereum using the Claymore mining software. Upon finding them, it replaced their wallet addresses with the bot owner’s own. Two more botnets, Masuta and PureMasuta, also appeared. Researchers linked the botnets to Satori because they used the same command and control server.
Several variants followed. One in May targeted Dasan GPON home routers, and in June, researchers noticed a resurgence of Satori infections using a new exploit that targeted the D-Link DSL-2750B router. It is unclear whether Satori’s original author also owned the subsequent variants, especially as the original source code was widely distributed via Pastebin in January.
Exploring the evidence
It is also far from clear that Schuchman was really behind Satori. The indictment doesn’t mention Satori specifically, but the Daily Beast believes that “all signs” point to it. In particular, their report references a post on Pastebin from a group of angry hackers calling themselves T0rnado and Disciple.
The Pastebin post, titled “Nexus Zeta”, dated February 1 2018, contained what the hackers claimed was old personal contact information for Schuchman, a prior conviction, and a news report about the then-15 year old running away from home. They added:
…since he has extremely poor opsec (uses home IP on everything), we have decided to dox him.
The anonymous documents on Pastebin make unsubstantiated allegations about Schuchman’s character but don’t provide any direct evidence linking him to the Nexus Zeta account or to Satori. Other than taking their word for it, what evidence do we truly have?
There are some pointers in historical whois records.
Researchers who first discovered Satori in action exploiting the Huawei vulnerability revealed that its command and control traffic flowed through nexusiotsolutions.net. This domain was registered to ‘liam mcpike’ using the email address firstname.lastname@example.org, on June 13 2017, and expired a year later.
Nexusiotsolutions.net was registered with a Washington state phone number. The same phone number was used to register another site called Zetastress.net in November 2016. The registrant for that site used the name Kenny Schuchman and the email email@example.com, and an address in Vancouver, Washington.
Even this evidence is not conclusive. People can (and frequently do) register domains with fake details. So while we have suggestive evidence, it is impossible to say for sure whether Schuchman is linked to Satori. No doubt things will become clearer as court proceedings unfold. As of last week, he was due to appear in Alaskan court via video link from Washington.
Until then, his conditions of release included home detection with a location tracking device and no access to an internet-enabled computer without supervision. He has pled not guilty to the charges, which carry a potential prison sentence of up to ten years.