The largest cyberattack in history wasn't originated from a group, but one individual, from one laptop, an inside source has exclusively told Heavy.com.
There's been a lot of coverage on the massive cyberattack on Spamhaus. Initial reports said that the attack was due to an ongoing feud between Cyberbunker, an ISP, and Spamhaus, an organization trying to stop email spamming. However, in an interview with Heavy.com, spokesperson Sven Olaf Kamphuis said that a group named Stophaus was the ones behind the attacks.
[Author's Note: We previously referred to Stophaus as an "offshoot of Cyberbunker." However, Sven Olaf Kamphuis clarified this and said they have "overlapping interests," but that Cyberbunker is separate from Stophaus.]
These reports also indicated that the effects of the attacks were being felt in other areas of the Internet, including a global slowdown in Internet speeds, failed routers in Internet Exchanges in Hong Kong, London, Frankfurt, and Amsterdam, and issues with the popular streaming service, Netflix (many of these claims have been denied by Sven Olaf Kamphuis.
Most media reports blame Cyberbunker and Stophaus, or either one of the two organizations. However, it seems like the reports were wrong; after a discussion with a Stophaus administrator, we can confirm that the attack was initiated by one hacker, on one laptop, and only a few Stophaus members followed suit.
After my interview with Sven Olaf Kamphuis, I received a message on Twitter from an account called "The STOPhaus Movement" asking if I could talk to them via Skype. Initially, they were under the impression that I wrote a different article, but we quickly clarified that when we chatted this morning. The administrator, who we'll call Mr. Jones, told me about the origins of the Stophaus movement:
The STOPhaus Movement did not form over a Cyberbunker incident. Sven joined STOPhaus as it progressed into a movement and brought many allies to the cause. He did not, however initiate the movement, promote the movement, and does not organize the beliefs or actions of those within movement...We, as a group, believe that the media is attempting to isolate the incident into a small feud and between 2 entities.
According to Mr. Jones, the dispute has been ongoing since late 2010, but members of "The Movement" against Spamhaus have been fighting the organization since 2002.
In 2010 Spamhaus placed some guy on their ROKSO list that was supposed to be a big spammer or something. He started feuding with Spamhaus and they reacted with knee-jerk reporting to demonize this guy. He initiated a campaign against them and it grew as it was organized into forums and groups. That guy hosted at Cyberbunker after Spamhaus attacked him with DoS efforts and he became their target. Since CB3ROB was already a target the materials being published by this guy were encouraging. Over time and organically, the movement grew in resources and support.
I then asked about whether or not Stophause was worried the government's of five different countries would be investigating the largest hack in the world. Mr. Jones replied that, historically, there was no precedent set that said that their "goals to eliminate coercive pressure within the anti-spam community and restore net neutrality and free sharing of information warrants criminal prosecution." He added that it actually warranted the correction of the Open DNS resolvers that were used to initiate the attack.
We then talked about the rumors that the Spamhaus attack was spilling over to other parts of the Internet.I asked Mr. Jones, "Once you and your members realized that the attack was spilling over to other parts of the Internet, did you guys stop the attack? Also, what are your future plans to stop Spamhaus?"
Mr. Jones replied that Stophaus never realized the ramifications of the attack until Cloudflare CEO Matthew Prince made the claim. Apparently, the only other report that showed collateral damages was produced by Spamhaus, which meant it held little to no value to the members an organization hell-bent on destroying Spamhaus. However, Mr. Jones added that Stophaus never received any indication that the Internet slowed down, and their data doesn't support the claim that the Internet slowed down globally or even in Europe.
He also added that no members of the group had any desire to cause any harm to the Internet public. Sven Olaf Kamphuis said something similar in my interview with him yesterday. It seems like neither Cyberbunker nor Stophaus want to shut down the Internet, just Spamhaus. However, in a world that remains connected by an invisible web, the attackers failed to realize that their actions could have repercussions around the world. The global effects wasn't Spamhaus' goal or the purpose of the attack, simply a negative externality.
Mr. Jones also outlined Stophaus' goals:
1. Expose Spamhaus and their operations to the public for the public to provide real feedback to their concerns
2. Lobby for political and legal support
3. Begin global civil and criminal proceedings against Spamhaus for their actions. This includes violations of several federal and international regualtions, violations of the UN Declaration of Human Rights, and violations of several country's codes on Anti-Terrorism actions.
The goals were lofty by any means; cyberattacking a well-respected organization to bring their more shady business practices into light so that government organizations and agencies can go after Spamhaus? Wouldn't agencies focus their energy towards Stophaus for almost bringing down the Internet?
I asked Mr. Jones whether or not they'll be able to achieve the goals he outlined now that government agencies are getting increasingly worried over " your 300 gigabite attack on Spamhaus."
Mr. Jones started off by saying my use of "your 300Gbs attack" was "a bit misleading." He continued, saying that Stophaus began as a group of people who were kicked out of their services after facing DoS attacks from Spamhaus, and that many people, including some agencies, became interested in the work Stophaus was doing. Mr. Jones asked rhetorically, "How can the internet be any worse becaue Spamhaus stops publishing libel and only lists the IPs that emit spam and stop escalating innocent IP ranges to manipulate ISP decisions via blackmail?"
Then Mr. Jones dropped the bombshell:
There was a dDoS attack done by 1 single member that we know of orchestrated attacks and several following along in protest. He remains very anonymous and no one could identify anything more than a screen name that seems to change often. That is where the mystery is I suppose. There may be a misconception in the thinking of a large network.
He continued, explaining how this sort of attack — despite how massive it was — doesn't require a large network, simply a request to Open DNS servers that produce an amplified response. The attacker amplified the effect "about 100:1," which was how a single laptop was able to almost take down the Internet. Mr. Jones said that, using a single laptop, the attack could have "easily been amped up" to 500 Gbs or even 1TB, which would be an astounding 20 times average DDoS attack that took out major banks (50 Gbs). Interestingly, Mr. Jones noted that Stophaus was "impressed by his work, but not by his equipment."
I was floored and thought I misunderstood. I asked "So your saying that it wasn't a group that launched this attack, it was an individual? From one laptop?"
His response? "You are correct."
Apparently there was some discussion about taking down Spamhaus "once and for all" instead of the usual complaining that takes place on the forum. There were other operations set up, including setting up an intranet without censorship and actively closing SMTP, with Mr. Jones comparing the email protocol to "an extinct dinosaur." However, the DDoS attack was apparently only one thread on the forum and simply was acted upon by a member.
I was obviously interested in the hacker, so I asked for more details. Mr. Jones, understandably, was wary to divulge any information that "may lead to the harrassment of the attacker." However, Mr. Jones did comment on the attackers persona:
He is a nice gent on chat, has not belittled any governments or seemed to have any agenda, other than to see an end to Spamhaus, and that he is very quiet at most times. He has used 4 or 5 different screen names that I will not identify and he is committed to a worthy cause.
I asked Mr. Jones for a few more specifics about the hacker and how the attack developed. The way Mr. Jones made it seem was that it wasn't really planned intricately or a predetermined attack. "I can't really say much about him because there was not much to say. The posts were something like, "Want to see Spamhaus fall?" followed by a lot of "hell yeah" and then his PM counters when up, rep went up, and the post was, "Spamhaus down" with a link to a screenshot. His rep really did well after that and on March 20th, I believe, he shut the attack down because of reports that people may be getting affected outside of the target.
Mr. Jones did add that the attack ended on March 20th, a full week before most media outlets picked up on the Spamhaus tweet.
The entire conversation was very enlightening and Mr. Jones and I spoke extensively about Stophaus' ideaology and his group's issue with Spamhaus. We'll be posting more on the conversation soon.