A 21-year-old has pleaded guilty to operating the Satori botnet – made up of Internet of Things (IoT) devices – and at least two other botnets; to running a DDoS-for-hire service; to cooking up one of the evolving line of botnets while he was indicted and under supervised release; and to swatting one of his former chums, also while on supervised release.
Satori did massive damage: it and its iterations would be unleashed in record-setting distributed denial-of-service (DDoS) attacks that enslaved more than 800,000 devices – things like home routers, security cameras and webcams – and flattened ISPs, online gaming platforms and web hosting companies.
The guilty plea was filed on behalf of Kenneth Currin Schuchman, from Vancouver, Wash., on Tuesday in federal court in Anchorage, Alaska. He was indicted a year ago on two counts of fraud and related activity in connection with a computer, but in the plea agreement he struck with prosecution, he pleaded guilty to just one of them.
Schuchman admitted that he and two co-conspirators – “Vamp” and “Drake,” both of whom are known by the law – operated the botnets Satori, Masuta and Okiru. Over time, they nurtured those botnets, fattening them on more and more devices to make them ever-more powerful and complex.
The co-conspirators used their botnets to launch attacks, but their primary goal was to make money from renting them out.
These DDoS-for-hire services can be purchased from so-called “booter” websites.
Such websites sell high-bandwidth internet attack services under the guise of “stress testing.” One example is Lizard Squad, which, until its operators were busted in 2016, rented out its LizardStresser attack service …an attack service that was, suitably enough, given a dose of its own medicine when it was hacked in 2015.
Of the trio, Schuchman specialized in finding vulnerabilities in IoT devices that could be exploited at scale. “Specialize” might be a bit too fancy a term: “run an online search” might be more like it. According to the plea agreement, the vulnerabilities often included default usernames and passwords, for example.
They’re all too easy to find, since researchers have found that the manufacturers of off-the-shelf IoT gadgets often post default passwords online in order to aid in quick device setup.
Using such default credential pairs, Schuchman and his buddies managed to compromise not only individual devices but entire categories of devices that shared the same vulnerability, as the plea agreement described.
From at least July 2017 until at least July 2018, Schuchman and his co-conspirators, who aren’t named in the indictment, rented out access to an evolving series of DDoS botnets. They were initially based on source code from Mirai – the botnet that was the subject of Schuchman’s previous prosecution in Alaska and which, in 2016, targeted security journalist Brian Krebs in what experts said at the time was the biggest DDoS attack in public internet history.
Over the course of that year, Vamp was the primary developer and coder, while Drake managed sales and customer support. Schuchman, besides researching new vulnerabilities, also helped out with botnet development.
In August 2018, the trio named one of their botnets Satori. That one built on Mirai by targeting devices with Telnet vulnerabilities. It also used an improved scanning system that was borrowed from another DDoS botnet, Remaiten. Mirai would go on to compromise 100,000 devices. The conspirators unleashed this version of Satori on a range of victims in the US, including a large ISP, popular online gaming services, prominent internet hosting companies, and hosting companies specializing in DDoS mitigation.
At the same time, Schuchman bragged about compromising another 32,000 devices belonging to a large Canadian ISP. He used the added might of those devices to attack targets with bandwidth of about 1TB per second. He also bragged about causing a dramatic increase to internet latency on a national level with a test attack.
In September or October 2017, the trio, along with other co-conspirators, made yet more improvements to Satori, which they rechristened “Okiru.” They used Okiru to compromise vulnerable devices, including exploiting flaws in customized versions of GoAhead web servers embedded in wireless surveillance cameras.
The next botnet version, which arrived in November 2017, was dubbed Masuta. It targeted vulnerable Huawei and Gigabit Passive Optical Network (GPON) fiber-optic networking devices. That one infected up to 700,000 compromised nodes.
At the same time that Masuta was being launched in a large number of attacks, Schuchman was also operating his own, distinct DDoS botnet, which he used against IP addresses associated with ProxyPipe, a DDoS mitigation network.
He was quite busy at that point: he was also scanning for more vulnerable Telnet devices to suck up into the botnets. When he got complaints about the scanning, he’d respond using his father’s identity. That was part of his modus operandi: he frequently hid behind his father’s identity throughout his criminal career. According to his plea agreement, after he’d been indicted, he kept committing new crimes from his father’s apartment.
Around January 2018, Schuchman, Drake and others merged elements of Mirai with those of Satori in order to target devices largely based in Vietnam, in order to expand the merged botnet further still. The refinement of the botnet continued: by March 2018, the improved botnet came to be called by the names Tsunami and Fbot. Mostly comprised of GoAhead cameras, the botnet infected up to 30,000 more devices and was used to attack gaming servers, including gaming server provider Nuclear Fallout.
During this time, Schuchman et al. also discovered vulnerabilities in about 650,000 High Silicon DVR systems. Schuchman managed to pwn at least 35,000 of the DVRs and dragged them into the Tsunami/Fbot botnet. He and his co-conspirators ran test attacks using about 10,000 of the hijacked DVR systems – attacks that attained estimated bandwidths of more than 100Gbps.
By April 2018, having moved on from Drake and Vamp to work with others, Schuchman developed another, unnamed DDoS botnet based on the Qbot financial malware. To create it, he exploited devices that included high-bandwidth GPON devices at the Mexican broadcast TV network Telemax.
By that point, Vamp had become a competitor: he and Schuchman were using the same credentials to go after the same universe of botnet nodes. They tried to block each other from getting at the infected nodes by changing configurations. Schuchman employed tactics including using the IPTables tool to kill all the open ports on the devices: a technique that, court documents say, is a good way to cause “substantial damage” to a victimized device.
Schuchman was first interviewed by the FBI in July 2018. He and Vamp were getting along again at that time, and they resumed working “in earnest” to keep buffing up their DDoS botnet iterations.
Schuchman, who was going by the aliases Nexus and Nexus-Zeta, was indicted on 21 August 2018, but that didn’t slow him down. Around October 2018, he created a new Qbot DDoS botnet variant – while he was on supervised release, and after he’d already been indicted for creating and deploying botnets.
Also in October, he used some of the data that turned up in legal discovery to figure out where Drake was located so that he could swat him. The swatting involved a fake 911 call about a purported hostage situation at Drake’s house, triggering a “substantial law enforcement response,” according to court documents.
Schuchman pleaded guilty to one count of aiding and abetting computer intrusions. He’s facing a maximum penalty of 10 years in prison and $250,000 in fines, but he likely won’t see that much time: the recommended sentence agreed to by prosecutors calls for penalties “at the low end of the guideline range.”
According to The Daily Beast, Schuchman has Asperger’s syndrome, which might further affect his sentencing, which is set for November.