A 21-year-old from Vancouver, Washington pleaded guilty today to creating and operating multiple iterations of DDoS botnets made up of home routers and other networking and Internet of Things (IoT) devices.
Kenneth Currin Schuchman, known online as Nexus Zeta, rented access to these botnets to others, but he also used the botnets to launch DDoS attacks against various targets himself, according to court documents obtained by ZDNet.
Today's guilty plea also sheds more light into how Schuchman operated. These details were not initially included in the original three-page indictment that Alaskan authorities filed in August 2018.
The biggest revelation from today's guilty plea is that Nexus Zeta did not act alone, but worked together with two other hackers -- identified in court documents as Vamp and Drake.
According to court documents, Vamp served as the primary developer and coder, Drake managed botnet sales and customer support, while Schuchman (as Nexus Zeta) acted as a second developer, tasked with developing or acquiring new exploits that the botnet could use to infect new devices.
Below is a timeline of the events that led to Schuchman's indictment and arrest, as described in today's guilty plea:
July to August 2017 -- Schuchman, Vamp, and Drake create the Satori botnet, based on the public code of the Mirai IoT malware. US authorities said this initial version "extended the Mirai DDoS botnet's capabilities, targeted devices with Telnet vulnerabilities, and utilized an improved scanning system borrowed fiom another DDoS botnet known as Remaiten." Even if this first botnet relied solely on exploiting devices running with factory-set or simple-to-guess passwords, Satori infected over 100,000 devices in its first month of life. Per court documents, Schuchman claimed that over 32,000 of these devices belonged to a large Canadian ISP, and that the botnet was capable of DDoS attacks of 1Tbps [claim remains unproven].
September to October 2017 -- The three hackers improve the original Satori botnet into a new version they start calling Okiru. This version can also use exploits to spread to unpatched devices. A prime target for the Okiru botnet were security cameras manufactured by Goahead.
November 2017 -- Schuchman, Vamp, and Drake evolve on Satori and Okiru. They create a new version named Masuta, which they use to target GPON routers, and infect over 700,000 devices. Their DDOS-for-hire business reaches its peak. Schuchman also creates his separate personal botnet, which he uses to attack the infrastructure of ProxyPipe, a DDoS mitigation firm.
January 2018 -- Schuchman and Drake create a botnet combining features from the Mirai and Satori botnets, focusing on exploiting devices based in Vietnam.
March 2018 -- Schuchman, Vamp, and Drake continue work on this botnet, which later becomes known as Tsunami or Fbot, and infects up to 30,000 devices, mostly Goahead cameras. They later expand the botnet with another 35,000 devices after exploiting vulnerabilities in High Silicon DVR systems. US authorities said the botnet was capable of attacks of up to 100Gbps.
April 2018 -- Schuchman splits from Vamp and Drake and develops another DDoS botnet, this time based on the Qbot malware family. This botnet was primarily focused on exploiting GPON routers from the network of Mexican TV network Telemax. Schuchman also enters into a competition with Vamp, both developing botnets aimed at hindering each other's operations.
July 2018 -- Schuchman reconciles with Vamp, but by this time the FBI has tracked him down. The FBI interviews Schuchman later that month.
August 21, 2018 -- US authorities formally charge Schuchman, but allow him to remain at large, on pre-trial release conditions.
August to October 2018 -- Schuchman breaks pre-trial release conditions by accessing the internet and developing a new botnet (based on the Qbot strain). He also orchestrates a swatting attack on Drake's home residence.
October 2018 -- US authorities detain and imprison Schuchman.
After pleading guilty today, Schuchman faces up to ten years in prison, a fine of up to $250,000, and up to three years of supervised release.
Schuchman is diagnosed with Asperger Syndrome and autism disorder, and was an active user on HackForums, a well-known forum hosting tutorials and discussions on white, gray, and black-hat hacking techniques, where he is believed to have learned his skills.
Authorities tracked Schuchman down because he used his father's ID and credentials for registering online domains he later used for his DDoS-for-hire operations.
US officials didn't say if they charged Vamp and Drake, but they said they were aware of their real-world identities.
In 2017 and 2018, several cyber-security firms published reports on the Satori botnet, which, at the time, was one of the most active IoT botnets around [1, 2, 3, 4, 5, 6].