A former Rutgers University student and two other men pleaded guilty to creating a “botnet” known as Mirai that paralyzed major websites in massive 2016 cyber-attacks.
Paras Jha, 21, of Fanwood, pleaded guilty in federal court on Friday to multiple charges related to creating and operating the Mirai botnet, the Justice Department said on Tuesday. Besides this, Jha also pleaded guilty in U.S. District Court in Trenton on Wednesday for hacking into the Rutgers University computer system between 2014 and 2016 that crippled the school’s networks for days at a time, preventing students from accessing assignments or registering for courses.
“These computer attacks shut down the server used for all communications among faculty, staff and students, including assignment of course work to students, and students’ submission of their work to professors to be graded,” the Justice Department said in a statement.
“The defendant’s actions effectively paralyzed the system for days at a time and maliciously disrupted the educational process for tens of thousands of Rutgers’ students.”
Jha’s partners, Dalton Norman, 21, and Josiah White, 20, pleaded guilty to conspiracy to violate the Computer Fraud & Abuse Act. Jha and Norman also pleaded guilty for using another powerful botnet for a ‘clickfraud’ scheme, which is used to artificially generate advertising revenue by making it appear that a real user clicked on an online ad.
Hundreds of thousands of Internet-connected devices including security cameras, poorly secured routers, baby monitors and DVRs were infected using the Mirai botnet, which was later turned into bots by its creators that attacked websites and internet infrastructure in “denial of service” (DDoS) attacks. If the targets didn’t pay a two-Bitcoin ransom, Jha reportedly would knock them offline, federal prosecutors said. Jha also owned a service denial mitigation company called ProTraf Solutions, according to his LinkedIn page.
Jha admitted writing Mirai’s code in or about July 2016 before working with others, according to the plea agreement. He and his co-conspirators used the botnet to attack business competitors and others against whom they held grudges. They also sought to make money, renting out the malicious network out for payment.
In October 2016, the Mirai botnet was used in a massive cyberattack against Dyn, an internet company that directs traffic on the web, which interrupted access to dozens of websites across the United States and Europe including ones run by Twitter, PayPal Holdings, and Spotify. Prosecutors said they don’t believe the three men were responsible for that attack, as Jha had already posted the code for Mirai to online criminal forums.
When federal investigators began to close in on Jha in an attempt to destroy or conceal evidence of his crimes, Jha erased the virtual machine used to run Mirai and posted the code online to create “plausible deniability” in case investigators found the code on the computers that he and his co-defendants controlled, prosecutors said.
In August 2016, White scanned functionality to the code allowing the malware to identify further vulnerable devices to infect. In September 2016, Norman and accomplices expanded Mirai, wherein eventually more than 300,000 devices became part of the Mirai botnet, prosecutors said. Court documents did not accuse Norman of creating Mirai but said he helped monetize its use.
Robert Stahl, Jha’s attorney, said his client has not been a student at New Jersey’s Rutgers University since December 2016 and had been released due to pending sentence.
“Starting when he was just 19 years old, (Jha) made a series of mistakes with significant consequences that he only now fully appreciates,” Stahl said in a statement. “He is a brilliant young man whose intellect far exceeded his emotional maturity” and that he is “extremely remorseful and accepts responsibility for his actions.” He said the guilty pleas “are the first step in his evolution into adulthood and responsibility.”
Michele Norin, the university’s senior vice president and chief information officer, said in a statement that Rutgers was thankful that the person behind the crime had been identified.
“I want to emphasize how seriously we take the resilience and security of the Rutgers network,” she said. “Since the DDoS attacks, we have made substantial improvements to Rutgers’ technology infrastructure, including upgrades of network hardware, the use of DDoS mitigation services, and changes in internet service providers.
“We recognize the threat posed by cybercriminals, and we will be tireless in working with lawenforcement to pursue individuals who attempt to compromise the Rutgers network.”
Jha faces up to 10 years in prison a fine of up to $250,000 when he is sentenced on March 13.
Attorneys for White and Norman did not respond to requests for comment.