IE 11 is not supported. For an optimal experience visit our site on another browser.

Who Shut Down the Internet Friday?

Some experts suspect the Russians, but other see no sign of Russian involvement in what they consider internet vandalism.
Image: Computer keyboar
Three DDoS attacks prevented users from accessing sites ranging from Amazon to Reddit to PayPal on Friday.Oliver Nicolaas Ponder / Getty Images/EyeEm

Cyber experts and intelligence officials told NBC News it was too early to determine who was responsible for the cyber attacks that caused massive internet outages across the U.S. Friday, with some saying their analysis pointed to Russia and others saying it could just be “internet vandalism.”

The three “denial of service,” or DDoS, attacks, hit at about 7 a.m. , noon and 4 p.m. Eastern Time, knocking out such websites as Vox, Twitter, Spotify, Amazon, PayPal and Reddit.

The attacks used the “internet of things,” meaning “smart” household appliances like DVRs, routers, printers and cameras that are linked to the web, to create “botnets” that overloaded websites by sending them more than 150,000 requests for information per second.

Officials said the attacks were largely aimed at internet infrastructure linked to one company rather than specific websites. Nearly all of those attacked were clients of Dyn, a firm that provides domain name system services and other internet infrastructure services. However, according to one official, there was also targeting of some individual websites.

"We have begun monitoring and mitigating a DDoS attack against our Dyn Managed (Domain Name System) infrastructure,” Dyn said on its website at 11:52 a.m. ET. “Our engineers are continuing to work on mitigating this issue."

A senior intelligence official told NBC News that the current government assessment is that the attacks were a “classic case of internet vandalism,” and did not appear to be state-sponsored or directed.

But two other senior intelligence officials told NBC News that while forensics on the attacks are far from complete, initial analysis points to the attacks being “Russian in origin” –- based on the methods and magnitude.

The Russian intelligence agency known as FSB enlisted Russian cybercriminals in 2008 to mount a similar cyberattack on the Republic of Georgia. Eight years later, there are far more devices hooked up to the internet, and available to be used in bot-nets for DDoS attacks.

“This is the Georgia attack on steroids,” said an intelligence official. South Korea, India, Spain, Brazil and the U.K. also experienced major outages Friday.

Is It Really Russians?

Shawn Henry, chief security officer of the cybersecurity firm Crowdstrike, expressed caution about blaming Russians. He said many possible explanations were circulating around the internet Friday. He didn’t rule out Russian involvement, but said it was “very, very early” to determine responsibility.

Henry said what was most ominous about the attacks is that they reveal that the U.S. is seriously vulnerable to cyber attack: “This demonstrates the fragility of the network and infrastructure.”

Several internet experts told NBC News that they didn’t see any Russian fingerprints.

Andrew Komarov of InfoArmor told NBC News he didn’t see any sign of Russian involvement at all, whether state or private. He noted that the botnet used in the attack, “Mirai,” was developed by an English speaker and that he had found no link between “Mirai” and the Russians, who have their own much more sophisticated methods.

He said the attacks seemed more consistent with the methods used by the hacking group known as Lizard Squad, two of whose members, both teens, were arrested earlier this month in the U.S. and the Netherlands and charged in connection with DDoS attacks.

Said Komarov, “We have some context, that because of similar victims, using Dyn, and also tactics, tools and procedures by threat actors, it may be a revenge for the past arrests of DDoS'ers in the underground, happened several weeks ago.”

Dmitri Alperovitch of Crowdstrike also expressed doubt about a link to the Russian government, and speculated the attacks might have to do with a recent interview that cybersecurity expert Brian Krebs did with Dyn mentioning Russian organized crime. Alperovitch said use of a botnet bears the hallmark of a criminal rather than state attack, and the target may simply have been Dyn, not the U.S.

Flashpoint, a private cybersecurity and intelligence firm, noted that the Krebs site was attacked in September by a Mirai botnet, and the Krebs site was among those attacked Friday. The hacker who attacked Krebs in September released the source code on the web earlier this month, and hackers have copied the code to create their own botnets.

Flashpoint said it had concluded that the Friday attacks were not mounted by hacktivists, a political group or a state actor.

A senior federal law enforcement official confirmed that the attacks used a botnet exploiting the internet of things, and that the FBI is investigating. The official said federal law enforcement had not yet made a determination about who launched the attack and why.

Richard Greenberg and Pete Williams contributed to this report.