Defendant Also Took Part in Creating Mirai and clickfraud Botnets, Infecting Hundreds of Thousands of Devices with Malicious Software
TRENTON, N.J. - A Union County, New Jersey, man was ordered today to pay $8.6 million in restitution and serve six months of home incarceration for launching a cyber-attack on the Rutgers University computer network, U.S. Attorney Craig Carpenito announced.
Paras Jha, 22, of Fanwood, New Jersey, previously pleaded guilty before U.S. District Judge Michael Shipp to violating the Computer Fraud & Abuse Act. Judge Shipp imposed the sentence today in Trenton federal court.
According to documents filed in this and other cases and statements made in court:
Between November 2014 and September 2016, Jha executed a series of “distributed denial of service" (DDOS) attacks on the networks of Rutgers University; these occur when multiple computers acting in unison flood the Internet connection of a targeted computer or computers. Jha’s attacks effectively shut down Rutgers University’s central authentication server, which maintained, among other things, the gateway portal through which staff, faculty, and students delivered assignments and assessments. At times, Jha succeeded in taking the portal offline for multiple consecutive periods, causing damage to Rutgers University, its faculty, and its students.
On Dec. 8, 2017, Jha, Josiah White, 21, of Washington, Pennsylvania, and Dalton Norman, 22, of Metairie, Louisiana, also pleaded guilty to criminal informations in the District of Alaska charging them each with conspiracy to violate the Computer Fraud & Abuse Act in operating the Mirai Botnet. In the summer and fall of 2016, White, Jha, and Norman created a powerful botnet - a collection of computers infected with malicious software and controlled as a group without the knowledge or permission of the computers’ owners. The Mirai Botnet, targeted “Internet of Things" devices - non-traditional computing devices that have been connected to the Internet, including wireless cameras, routers, and digital video recorders. The defendants attempted to discover both known and previously undisclosed vulnerabilities that allowed them to surreptitiously attain administrative or high-level access to victim devices for the purpose of forcing the devices to participate in the Mirai Botnet. At its peak, Mirai consisted of hundreds of thousands of compromised devices. The defendants used the botnet to conduct a number of other DDOS attacks. The defendants’ involvement with the original Mirai variant ended in the fall of 2016, when Jha posted the source code for Mirai on a criminal forum. Since then, other criminal actors have used Mirai variants in a variety of other attacks.
Jha and Norman also pleaded guilty to criminal informations in the District of Alaska charging each with conspiracy to violate the Computer Fraud & Abuse Act. From December 2016 to February 2017, the defendants successfully infected more than 100,000 primarily U.S.-based Internet-connected computing devices, such as home Internet routers, with malicious software. That malware caused the hijacked home Internet routers and other devices to form a powerful botnet.
The defendants then used the compromised devices as a network of proxies through which they routed Internet traffic. The victim devices were used primarily in advertising fraud, including “clickfraud," a type of Internet-based scheme that utilizes “clicks," or the accessing of URLs and similar web content, for the purpose of artificially generating revenue.
Judge Shipp also sentenced Jha to five years of supervised release and ordered him to perform 2,500 hours of community service.
On Sept. 18, 2018, all three defendants were sentenced in federal court in Alaska to serve a five-year period of probation, 2,500 hours of community service, ordered to pay restitution in the amount of $127,000, and have voluntarily abandoned significant amounts of cryptocurrency seized during the course of the investigation.
For additional information on cybersecurity best practices for IoT devices, please visit: https://www.justice.gov/criminal-ccips/page/file/984001/download.
All three cases were investigated by the FBI. The Rutgers University case is being prosecuted by Assistant U.S. Attorney Shana Chen of the District of New Jersey. The Mirai Botnet and Clickfraud Botnet cases are being prosecuted by Assistant U.S. Attorney Adam Alexander of the District of Alaska and Trial Attorney C. Alden Pelker of the Computer Crime and Intellectual Property Section of the Criminal Division.
Additional assistance was provided by the FBI Newark Cyber Task Force, Rutgers University Police Department, N.J. State Police, the Federal Protective Service, FBI’s New Orleans and Pittsburgh Field Offices, the U.S. Attorney’s Office for the Eastern District of Louisiana, the United Kingdom’s National Crime Agency, the French General Directorate for Internal Security, the National Cyber-Forensics & Training Alliance, Palo Alto Networks Unit 42, Google, Cloudflare, Coinbase, Flashpoint, Yahoo and Akamai.
Defense counsel: Robert Stahl Esq., Westfield, New Jersey
Source: U.S. Department of Justice, Federal Bureau of Investigation (FBI)
