Anna-senpai – Analysis of the Threat Actor behind the Leak of Mirai

The Mirai IoT Botnet has made a lot of headlines in recent weeks. While the botnet itself was analyzed and discussed by a number of security researchers and companies, none addressed the threat actor behind the recent attacks and the leak of Mirai source code. Such an analysis can provide useful insights into the recent attacks and the origins of the botnet.

General Background

Anna-senpai is the pseudonym of the threat actor responsible for leaking the Mirai source code. The threat actor joined the closed forum (hackforums) on July 10, 2016, under the nickname ogmemes123 and somewhere between late August and mid-September changed his name to Anna-senpai. The name is a reference to the character Anna Nishikinomiya from the Japanese animation series Shimoneta. In the series, Anna Nishikinomiya is responsible for enforcing some sort of censorship at her school.

According to our assessment, this is not a hint by the threat actor of his intended actions, as this forum members frequently assume Japanese anime character names as their usernames. Since registering to the forum, Anna-senpai has posted 255 posts and nine threads.

In his first thread on the forum (July 2016), titled “Killing all Telnets,” Anna-senpai warned other forum users that he was starting to takeover systems infected with qbot – a worm with backdoor capabilities. However, on hacking forums, qbot is synonymous with telnet (a communication protocol). In the same thread, Anna-senpai also refers, for the first time, to a DDoS bot in his possession, without mentioning its name.

Anna-senpai's first reference to his unnamed DDoS botnet
Anna-senpai’s first reference to his unnamed DDoS botnet

Looking at his first thread, it appears that this is not his first time on the forum and that he was (or still is) a member of the forum, registered under another name. Furthermore, it seems that Anna-senpai started the thread expressly to annoy other forum members or to show off his skills, a motive echoed in many of his posts and threads.

Another example of this behavior is Anna-senpai’s last thread, titled “AMA: I launched world’s biggest DDoS attack (1tbps).” In this thread, the hacker takes responsibility for attacking both OVH and Brian Krebs, while taunting law enforcement agencies, claiming they will never catch him. AMA (Ask Me Anything) are threads where forum members can ask the creator of the thread anything they want regarding a specific subject. In the AMA, started on October 1, 2016, Anna-senpai claimed he was at an airport in France waiting for a flight to a country that has no extradition treaty with the U.S. When asked why he stopped now, the hacker claimed that he had earned enough money and does not need to continue. When asked why he attacked the two targets, Anna-senpai was very elusive, and did not provide a clear answer.

Anna-senpai's thread where he takes responsibility for the attacks against Brian Krebs and OVH
Anna-senpai’s thread where he takes responsibility for the attacks against Brian Krebs and OVH

Motivation for the Attack

While not taking Anna-senpai’s announcements for granted, we believe that he is the threat actor behind the attacks. Not only did Anna-senpai have the malware in his possession, and he demonstrated the required knowledge for operating the botnet, but there are also some indications that he had motivation. After the attack on his website, Brian Krebs wrote in his blog that from his analysis, the reason for the attack was a research paper he published on the DDoS platform Vdos, which led to the arrests of two of its operators. Analyzing Anna-senpai’s communications, we found several posts where he defended AppleJ4ck (the forum nickname of one of the Vdos operators). While the exact nature of the connection between the two is unclear, it does appear that Anna-senpai had reasons to attack Brian Krebs.

Anna-senpai defends AppleJ4ck in a post
Anna-senpai defends AppleJ4ck in a post

While the reason behind the Brian Krebs attack was straightforward, no one has offered any reason why OVH suffered such a mass attack. On August 9, 2016, a forum member dubbed ROHFF published a thread asking where he could buy a stresser that could take down all the OVH servers. In a reply to the thread, Anna-senpai recommended the platform Jaysbooter (an online DDoS platform). Such a message indicates that Anna-senpai knew someone who wanted to attack OVH and was willing to pay for it.

While it seems that the hacker passed on the offer and referred ROHFF to someone else, it is important to remember that real deals between hackers are mostly conducted behind closed doors, usually in PM (private messages). So, there is a possibility that Anna-senpai wanted to appear uninterested, while actually connecting with ROHFF on a private channel. Either way, it seems that Anna-senpai possessed both the skills and possible motivation to be the threat actor behind the attack.

The ROHFF thread seeking to attack OVH, and Anna-senpai’s answer

Mirai’s Creator

While Anna-senpai was probably a Mirai operator and the hacker behind the attack, our analysis suggests he is not the person who created the botnet. First of all, he was operating and released the source code on a forum primarily associated with the English-speaking underground, and not on a Russian underground forum, where you would expect to find Russian-speaking hackers (as suggested from the comments in Mirai code). Furthermore, there is no indication from the hacker posts that he is not a native English speaker or a Russian speaker. Looking through Anna-senpai’s posts and threads, we can discern a tendency to show off his skills and irritate other users. However, the threat actor never posted any such thing in the technical section of the forum, something we would expect to see from someone with such a personality.

Such an indication may suggest that while Anna-senpai had the source code of the botnet, he was not the person who created it.

Activity timeline of Anna-senpai on hackforums
Activity timeline of Anna-senpai on hackforums

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s