Who is really behind the distributed denial of service (DDoS) attacks against Turkey’s Internet? Russia and Anonymous-branded social media accounts have been named as candidates, but an investigation by The Daily Dot indicates it was likely the work of a person who possessed powerful cyberweapons.
The Daily Dot interviewed a person through encrypted messages who claims to be the culprit and was able to demonstrate their capabilities. The individual explained how they attacked Turkey’s Internet and said they were doing it on account of the country’s helping or ignoring ISIS.
The Biggest Cyberattack Ever
The DDoS attack on Dec. 14, which has been described as the biggest cyberattack ever, targeted NIC.tr., the server that registers domains with Turkey’s country code which serves as administrator of the country’s academic Internet.
The attack peaked at 40 Gbps, undermining the country’s Internet. Nameservers became overloaded and could not respond to normal visitor requests. Nearly all domains ending in “.tr” could not be reached.
In response to the attack, NIC.tr administrators blocked all requests from outside of the country. This defensive action slowed the attacks, but emails sent to Turkish nameservers received an “unknown host” error. The blocking action left Turkey invisible to the rest of the world’s Internet for nearly a day.
Russia was immediately suspected as the culprit on account of Turkey’s downing a Russian jet near the Syria border. There is no evidence to support this suspicion.
CyberBerkut, a pro-Russian hacktivist group, was also suspected. This group, however, did not claim responsibility as it has following other attacks.
Anonymous Connection Rises
On Dec. 18, an Anonymous-branded account posted a YouTube video taking credit for the Turkish attacks as part of a campaign against Islamic State. On Dec. 23, a shorter version of the video replaced the original one.
The videos said they would not accept Turkey President Recep Tayyip Erdogan’s helping ISIS. The video justifies the attacks and cites evidence that the Turkish government is helping ISIS.
Despite Anonymous’ claims, there is no evidence the Anonymous-branded account has any connection to the DDoS attacks on Turkey’s Internet. There are other reasons to doubt such a connection.
Anonymous usually announces its attacks in advance rather than waiting for days following an attack to claim responsibility. When Anonymous does attack, it does so to infiltrate networks to leak and steal data, not just to launch DDoS attacks. There is no evidence the DDoS attacks in Turkey involve anything besides DDoS attacks.
There are also issues with the Anonymous-branded YouTube videos. The first video posted three months ago. Following a silence, the party behind the account began uploading videos about different Anonymous operations, which is unusual behavior.
Anonymous sources interviewed by the Daily Dot claimed the video is not related to the attacks. Two longtime Anonymous members suspected the account is connected to Anonymous “wannabees” seeking credit for the attack.
A New Suspect Claims Credit
The Daily Dot eventually identified an individual who provided few personal details but a lot of evidence suggesting they were behind the attacks.
The suspect demonstrated his or her capabilities during a conversation with The Daily Dot. The person was able to pull down Syria’s DNS servers for nearly 15 minutes. The Daily Dot posted a screenshot showing Syria’s DNS servers falling. The suspect was also able to attack jihadist and radical Muslim organizations’ websites simultaneously.
The attacker told The Daily Dot they paralyzed the NIC.tr by partly using a tactic called DNS Amplification Attack. Such an attack uses the system against itself to achieve a larger attack than normally possible. CloudFlare, a web services company that protects clients against DDoS attacks said a DNS Amplification Attack can be 50 times as powerful as other attacks.
Asked if he or she tested NIC.tr for particular weaknesses, the suspect told The Daily Dot this effort was experimental and that he or she learned the most effective methods on the fly.
The attacker did not reveal their nationality but said their motivation was political. The suspect said the Turkish government and its president were helping ISIS or ignoring the group. The attacker also said they were helping some Anonymous groups with an anti-ISIS campaign.
Also read: Russia claims Turkey’s president engages in illegal trade with ISIS
A Part-Time Anonymous Hacker
The suspect told The Daily Dot he or she does not work under Anonymous full-time, but occasionally works with different Anonymous teams and often works alone.
On Dec. 24, another attack wave besieged Turkey’s top banks. RedHack, a leftist hacktivist group in Turkey, claimed the bank attacks. Since RedHack is part of the Anonymous hacktivist group, some suspected a link between the bank attacks and the Anonymous videos claiming responsibility for the ongoing DDoS attacks in Turkey. RedHack, however, always claims credit for its attacks and did not claim credit for the attacks against NIC.tr.
Featured image from Shutterstock.