Tag Archives: computer worm

Overlords of the Internet: Botnet Warfare

Leave a reply

U.S. Federal authorities disrupted in August 2025 a network of hacked devices used by criminals in some of the largest online attacks yet seen… Law-enforcement agencies and technology companies are waging a war against increasingly powerful networks of hacked devices, called botnets, that can knock websites offline for a fee. They are used for extortion and by disreputable companies to knock rivals offline… These botnets are leveraging new types of internet-connected devices with faster processors and more network bandwidth, offering them immense power. The criminals controlling the botnets now have the capabilities to move beyond website takedowns to target internet connectivity and disrupt very large swaths of the internet.“Before the concern was websites; now the concern is countries,” said Craig Labovitz, head of technology with Nokia’s Deepfield division. 

Apprehending botnet criminals in August 2025 appeared to have an unwanted consequence: freeing up as many as 95,000 devices to be taken over by new botnet overlords. That led to a free-for-all to take over the machines “as fast as possible,” said Damian Menscher, a Google engineer. The operators of a rival botnet, called Aisuru, seized control of more than one-fourth of them and immediately started launching attacks that are “breaking records,” he said.

On Sept. 1, 2025 the network services company Cloudflare said it had measured an attack that clogged up computer networks with 11.5 trillion bits of junk information per second. That is enough to consume the download bandwidth of more than 50,000 consumer internet connections. Cloudflare declared this attack, known as a distributed denial of service, or DDoS, a “world record” in terms of intensity. Some analysts see it almost as an advertisement of the botnet’s capabilities…

Botnets such as Aisuru are made up of a range of internet-connected devices—routers or security cameras, for example—rather than PCs, and often these machines can only join one botnet at a time. Their attacks can typically be fended off by the largest cloud-computing providers. One massive network that Google disrupted in 2025 had mushroomed from at least 74,000 Android devices in 2023 to more than 10 million devices in two years. That made it the “largest known botnet of internet-connected TV devices,” according to a July 2025 Google court filing.

Excerpts from Robert McMillan, The Feds Destroyed an Internet Weapon, but Criminals Picked Up the Pieces, WSJ, Sept. 15, 2025

Perpetual Attack: 25-Year Cyberattack, Russia v. US

Leave a reply

They US Federal Bureau of Investigation (FBI)  disabled a piece of malware Russia’s intelligence agency has allegedly used for two decades (!) to steal documents from NATO-allied governments and others, in an operation that highlights the FBI’s increasing efforts to go beyond arresting hackers and find new ways to disrupt cyberattacks.

In an affidavit filed in federal court in Brooklyn, a Federal Bureau of Investigation agent said the bureau had identified a long-running cyber-espionage campaign by officers in a unit of Russia’s Federal Security Service, or FSB, to take documents from other governments’ defense and foreign ministries, journalists and others, and route them through infected computers in the U.S. to cover their tracks. Security researchers have sometimes referred to the group of hackers as “Turla,” who are known to use a malware called “Snake.”

FBI agents identified U.S. computers infiltrated with the Snake malware, including in Oregon, South Carolina and Connecticut, and obtained court approval to issue commands to the malware to permanently disable it on those computers, officials said. The operation is the latest example of the FBI using an obscure legal authority to proactively disrupt Russian or Chinese cyberattacks by essentially infiltrating their systems. Investigators tracked the group’s daily activities to an FSB facility in Ryazan, outside Moscow.

Cybersecurity experts and U.S. officials said that Turla’s espionage activities can be traced back more than 25 years, though with rare exception the group’s hackers are adept at infiltrating systems without being noticed. For example, the group was linked to a major breach of U.S. classified systems in the late 1990s that compromised the Pentagon, other government agencies and defense contractors and was considered a watershed cyberattack that demonstrated the national security threat posed by Russian government hackers. In that case, it took years before the U.S. discovered the campaign (!).

Aruna Viswanatha and Dustin Volz, FBI Disables Malware Russia Allegedly Used to Steal Documents from NATO Allies, WSJ, May 9, 2023

Hacked to be Framed: N. Korea – Wapomi Worm

Leave a reply

Foreign hackers could have broken into North Korean computers and used them to make the country look responsible for hacking Sony, experts have said.  Any attempt to blame North Korea for the attack because hackers used a North Korean IP address “must be treated as suspect”, security firm Cloudmark said. That is one of the reasons that the FBI has given for suspecting the country for the attack, which took down Sony Pictures’ systems for weeks.  Security experts have continued to be dubious of the claim, but FBI officials have continued to blame North Korea.

The country has a very small connection to the internet, run by its national telecom ministry and a Thai firm. As a demonstration of how few connections North Korea has to the internet, Cloudmark said that it has the same amount of IP addresses allocated to it as the entire country.  Cloudmark said that the North Korean addresses it traces tend to send out spam, which is usually the sign of an infected machine. It identified the Wapomi worm, which is transmitted by USB drives and file server shares, as the code that is allowing outside people to control the machine.

While there is no guarantee that the same worm is present on the computers that have carried out the attack, the prevalence of infected computers in the country shows how easy it could have been for Sony’s hackers to give the impression they were based on North Korea.  Cloud mark said that “unless the FBI releases more specific details of their case against North Korea, including email headers and mail server logs, some experts will continue to question if they are in fact correct”.

ANDREW GRIFFIN ,North Korea might have been hacked to frame it for Sony cyberattack, say experts, Independent, January 12, 2015

Hacking Nuclear Plants – South Korea

Leave a reply

Korea Hydro & Nuclear Power Co Ltd said it would beef up cybersecurity by hiring more IT security experts and forming an oversight committee, as it came in for fresh criticism from lawmakers following recent hacks against its headquarters.  The nuclear operator, part of state-run utility Korea Electric Power Corp, said earlier this month that non-critical data had been stolen from its systems, while a hacker threatened in Twitter messages to close three reactors.

The control systems of the two complexes housing those reactors had not been exposed to any malignant virus, Seoul’s energy ministry and nuclear watchdog said in a joint statement, adding the systems were inaccessible from external networks.  Energy Minister Yoon Sang-jick told a parliamentary session that evidence of the presence and removal of a “worm” — which the ministry said was probably inadvertently introduced by workers using unauthorized USB devices — was unrelated to the recent hacking incidents, drawing scepticism from some lawmakers.  “I doubt control systems are perfectly safe as said,” Lee Jung-hyun, a lawmaker in the ruling Saenuri party, told the committee hearing.

Worries about nuclear safety in South Korea, which relies on nuclear reactors for a third of its power and is the world’s fifth-largest nuclear power user, have mounted since the 2011 Fukushima disaster in Japan and a domestic scandal in 2012 over the supply of reactor parts with fake security certificates…Korea Hydro and Nuclear Power President and CEO Cho Seok told the hearing that all control systems of the country’s 23 nuclear reactors were safe against malignant codes. Recently, he said that cyberattacks on non-critical operations at the company’s headquarters were continuing, although he did not elaborate for security reasons.

Excerpt from South Korea nuclear operator finds computer ‘worm’ in control system, Reuters, Jan, 1, 2015