The Department of Homeland Security and the FBI were investigating “all potential causes” of the internet’s partial blackout Friday after a massive wave of cyberattacks disrupted major websites, including Twitter, Airbnb and PayPal.
The vast, cross-country disruption could be a prelude to a more-damaging attack, cybersecurity experts said. No one has claimed responsibility for the attack.
“It’s very serious,” said Gartner research cybersecurity analyst Avivah Litan. “They could wreak complete havoc on our economy.”
The first attack hit the eastern U.S. early Friday morning, with a second assault following hours later and affecting users across the country, especially on the West Coast. Other sites hit included Amazon, Spotify, CNN, The New York Times, Pinterest, Reddit, Netflix, Yelp and OrderAhead.
The unknown assailants targeted Dyn, a New Hampshire firm that provides domain name services that connect internet users to websites. The company said it began monitoring an attack, mostly affecting the eastern U.S., at just past 4 a.m. About two hours later, Dyn restored services, but it was forced to address another attack around 9 a.m. Just before 1 p.m., the company said it was responding to “several attacks.”
“It’s affecting a lot of very familiar sites, the ones that we use all the time,” said Dimitri Sirota, CEO of data-security firm BigID.
But the timing of that attack did not appear calculated to cause maximum damage or disruption, Sirota said, noting that Friday morning is not prime time for watching Netflix or shopping on Amazon.
“There is a kind of hypothesis that they just want to see if this type of attacks works, with the intention of using it elsewhere,” Sirota said.
Many sites were down for hours, including Twitter. Dyn restored access to most at around 1:30 p.m. Twitter put its own engineers on the outage, saying in an online post they were continuing to “investigate the root causes and mitigation strategies.”
Dyn said the attacks were “distributed denial of service,” in which an internet service provider is incapacitated by a bombardment of traffic, often from hijacked personal computers and poorly secured, web-connected internet-of-things devices such as printers and security cameras.
Dyn’s chief strategy officer Kyle York said in a conference call the attack came via “tens of millions” of IP addresses for devices hijacked via malicious code.
“Each device is an electronic soldier,” Gartner’s Litan said, adding that attackers now have “millions more that they can harness for their armies.”
Internet security firm Verisign reported that distributed-denial attacks rose 75 percent among its customers from April through June compared to the same period last year, and that the assaults “continued to become more frequent, persistent and complex.” Most targets were cloud- and internet services providers, followed by financial services firms.
In the U.S. financial system, disruption of internet connections could cause massive damage, Litan said. “We’re not prepared for this kind of volume of attack at once,” she said.
Lawrence Zelvin, a former Department of Homeland Security cybersecurity director and now head of global cybersecurity for Citibank, in 2014 warned Congress that distributed-denial assaults against financial services companies were becoming more powerful.
The attack raised concerns that a similar assault could interrupt some aspects of voting on Nov. 8. Thirty-one states and the District of Columbia allow overseas military and civilians to vote online. Barbara Simons, an adviser to the federal Election Assistance Commission, told the New York Times she worried about these sorts of incidents.
“A DDoS attack could certainly impact these votes and make a big difference in swing states,” Simons told the newspaper. “This is a strong argument for why we should not allow voters to send their voted ballots over the internet.”
Most companies use a single provider such as Dyn to connect users to their websites, Sirota said. “If they go down, you go down,” he said.
This incident should be a “clarion call” to U.S. companies, Sirota said.
By 2 p.m. Friday, most affected sites appeared to be accessible. Dyn said in a conference call the attacks had originated in part with malware code made available via the internet in recent weeks.
Security researcher Brian Krebs wrote last week on his website that the “Mirai” code had been let loose, “virtually guaranteeing that the internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.”
Security firm Flashpoint late on Friday said in a blog post it had confirmed that the Mirai malware was involved in the attack, and some of the devices hijacked to send traffic to Dyn were digital video recorders.
