Mirai IoT botnet variant likely used in January DDoS attack against Dutch banks

A series of denial-of-service attacks against banks and government agencies in the Netherlands was carried out by an attacker using a Mirai botnet variant, according to new research from the cybersecurity firm Recorded Future.

The late January attacks temporarily brought down the networks of the Netherlands national tax office as well online banking services for ABN Amro, ING and Rabobank. The attackers themselves have been subject to much speculation but remain unknown at this time.

Researchers said the malware used in the attacks may be linked to IoTroop, code that infects Internet of Things (IoT) devices like routers, televisions and cameras in order to send a tsunami of data at a target until the network buckles under the weight. IoTroop also shares a lot of source code with the infamous Mirai malware.

“This is the first time we have observed an IoT botnet being used since Mirai and it may be the first time IoTroop has been used to target victims since it was initially identified last year,” researchers Priscilla Moriuchi and Sanil Chohan said.

IoTroop was first spotted in October 2017 when Check Point researchers said it was “evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016.”

Mirai was used in a series of unprecedented 2016 denial-of-service attack that, most notably, took down the DNS provider Dyn and with it a huge swath of the internet’s most prominent websites for much of the United States.

The Netherlands arrested an 18-year-old man in February 2018 on charges of launching a series of denial-of-service attacks, but it’s not clear if he’s responsible for the January 2018 attacks in question.