04
Sep 19

‘Satori’ IoT Botnet Operator Pleads Guilty

A 21-year-old man from Vancouver, Wash. has pleaded guilty to federal hacking charges tied to his role in operating the “Satori” botnet, a crime machine powered by hacked Internet of Things (IoT) devices that was built to conduct massive denial-of-service attacks targeting Internet service providers, online gaming platforms and Web hosting companies.

Kenneth “Nexus-Zeta” Schuchman, in an undated photo.

Kenneth Currin Schuchman pleaded guilty to one count of aiding and abetting computer intrusions. Between July 2017 and October 2018, Schuchman was part of a conspiracy with at least two other unnamed individuals to develop and use Satori in large scale online attacks designed to flood their targets with so much junk Internet traffic that the targets became unreachable by legitimate visitors.

According to his plea agreement, Schuchman — who went by the online aliases “Nexus” and “Nexus-Zeta” — worked with at least two other individuals to build and use the Satori botnet, which harnessed the collective bandwidth of approximately 100,000 hacked IoT devices by exploiting vulnerabilities in various wireless routers, digital video recorders, Internet-connected security cameras, and fiber-optic networking devices.

Satori was originally based on the leaked source code for Mirai, a powerful IoT botnet that first appeared in the summer of 2016 and was responsible for some of the largest denial-of-service attacks ever recorded (including a 620 Gbps attack that took KrebsOnSecurity offline for almost four days).

Throughout 2017 and into 2018, Schuchman worked with his co-conspirators — who used the nicknames “Vamp” and “Drake” — to further develop Satori by identifying and exploiting additional security flaws in other IoT systems.

Schuchman and his accomplices gave new monikers to their IoT botnets with almost each new improvement, rechristening their creations with names including “Okiru,” and “Masuta,” and infecting up to 700,000 compromised systems.

The plea agreement states that the object of the conspiracy was to sell access to their botnets to those who wished to rent them for launching attacks against others, although it’s not clear to what extent Schuchman and his alleged co-conspirators succeeded in this regard.

Even after he was indicted in connection with his activities in August 2018, Schuchman created a new botnet variant while on supervised release. At the time, Schuchman and Drake had something of a falling out, and Schuchman later acknowledged using information gleaned by prosecutors to identify Drake’s home address for the purposes of “swatting” him.

Swatting involves making false reports of a potentially violent incident — usually a phony hostage situation, bomb threat or murder — to prompt a heavily-armed police response to the target’s location. According to his plea agreement, the swatting that Schuchman set in motion in October 2018 resulted in “a substantial law enforcement response at Drake’s residence.”

As noted in a September 2018 story, Schuchman was not exactly skilled in the art of obscuring his real identity online. For one thing, the domain name used as a control server to synchronize the activities of the Satori botnet was registered to the email address nexuczeta1337@gmail.com. That domain name was originally registered to a “ZetaSec Inc.” and to a “Kenny Schuchman” in Vancouver, Wash.

People who operate IoT-based botnets maintain and build up their pool of infected IoT systems by constantly scanning the Internet for other vulnerable systems. Schuchman’s plea agreement states that when he received abuse complaints related to his scanning activities, he responded in his father’s identity.

“Schuchman frequently used identification devices belonging to his father to further the criminal scheme,” the plea agreement explains.

While Schuchman may be the first person to plead guilty in connection with Satori and its progeny, he appears to be hardly the most culpable. Multiple sources tell KrebsOnSecurity that Schuchman’s co-conspirator Vamp is a U.K. resident who was principally responsible for coding the Satori botnet, and as a minor was involved in the 2015 hack against U.K. phone and broadband provider TalkTalk.

Multiple sources also say Vamp was principally responsible for the 2016 massive denial-of-service attack that swamped Dyn — a company that provides core Internet services for a host of big-name Web sites. On October 21, 2016, an attack by a Mirai-based IoT botnet variant overwhelmed Dyn’s infrastructure, causing outages at a number of top Internet destinations, including Twitter, Spotify, Reddit and others.

The investigation into Schuchman and his alleged co-conspirators is being run out the FBI field office in Alaska, spearheaded by some of the same agents who helped track down and ultimately secure guilty pleas from the original co-authors of the Mirai botnet.

It remains to be seen what kind of punishment a federal judge will hand down for Schuchman, who reportedly has been diagnosed with Asperger Syndrome and autism. The maximum penalty for the single criminal count to which he’s pleaded guilty is 10 years in prison and fines of up to $250,000.

However, it seems likely his sentencing will fall well short of that maximum: Schuchman’s plea deal states that he agreed to a recommended sentence “at the low end of the guideline range as calculated and adopted by the court.”

Tags: , , , , , , , , , , , ,

51 comments

  1. The Sunshine State

    “Asperger Syndrome and autism”, always the common denominator for wannabe miscreants.

    • Considering the confirmed attacks, “wannabe” is a bit insulting. As is your tone here that clearly reflects your general opinion of folks with Asperger’s.

      • Oh don’t be a offended nuisance. He was obviously referring to his disdain of criminals.
        Why do criminals always blame aspergers though?

        • They don’t “always” blame Aspergers or autism.
          In fact, is is EXTREMELY RARE for someone to offer that as a defense.
          Why? Because it has to be diagnosed well in advanced of the alleged crime.

          So when someone does offer that as a defense, it is legitimate. Because people don’t just get diagnosed for s*&gs so they can blame future crime on it.

      • The Sunshine State

        I live in a apartment complex that has a guy who has Asperger Syndrome He doesn’t commit crime, and having that disorder is not a “excuse” for doing DDos attacks against internet infrastructure.

        • Brian Fiori (AKA The Dean)

          Aspergers (or anything on the spectrum) may be a contributing factor. May be something to consider in sentencing. But is isn’t the reason, or an excuse for the crime.

  2. This is another case of dejected miscreants who delve into computers instead of traditional organised crime.
    I guess they all look pale and sad because of the light of the computer monitor, or something.
    Kind of like how the mafia wear pinstripe suits.

  3. Thanks for sharing this informative information with us. It is necessary whereas people are cashless, but the cybercrime is going on peak and how ransomware attack on our personal and official data or information.

  4. Hmm not the sharpest tool in the shed…
    all he had to do was use qubes+vpn+whonix and register domains anonymously with fake information and emails that he created/logged in exclusively with tor and then pay with bitcoin and only way he would get caught would be if he carelessly handled bitcoin and got traced to his exchange but I guess getting doxed and using windows 10 and home ip must be this new sick method.

    • …seems like you are speaking from experience here? Hopefully not. In any case, regardless of how “sharp” a cyber-criminal is, they will get careless or complacent at some point with their OpSec and get caught. I mean, just look at how many times Brian has a report detailing some form of attack, then months (or even years) later, there are very obvious bread crumbs that led to the attacker being caught. More often than not, it’s because they were careless with their OpSec.

      • Speaking from experience? You don’t have to be a criminal to know these things. I’d go as far as to say that most competent technical cyber security professionals know this already.

        Also, I have to disagree with the part about criminals in general becoming careless. While “seemingly” rare, there are plenty of criminals who commit acts and get away with it…with law enforcement non the brighter. If anything, it’s usually just the criminals screwing up that gets them caught (No, I do not encourage committing crimes, I’m merely just being realistic).

        • It is fair to say that keeping up constant opsec is a non-trivial task. Sure, “all he had to do is…” X, Y, and Z…and keep doing it, never accessing via a system that could leave breadcrumbs behind, and never discussing it from an account that can be traced back, and etc.

          The miscreant has to be on guard and cautious *every* time they access the system, even when they wake up to some alarm or failure, or they believe someone might be tracking or attacking them.

          That kind of discipline is possible, but it’s exceedingly rare. Even more rare in teenagers or 20-something kids, neurotypical or not.

        • I think you’re failing to realize the constant upkeep of OpSec for a criminal. It’s not like you can use all of the following once:

          -Qubes
          -VPN
          -Whonix
          -Pay with bitcoin

          You have to keep up with it constantly. If a criminal is doing these things every single time they log onto a system, fantastic! They’re in the 0.001% of criminals. However, we can’t be so dull to think they aren’t getting careless at some point.

          Look at the recent example of the Capital One hack. Leading up to the exposure of the data, the dude was fairly smart in covering his tracks and how he accessed the systems/data… until he posted the information on his personal GitHub account. [facepalm]

          Though extremely careless and stupid, that was a clear example of how that happens; however, a less clear example would be a similar situation, but maybe someone created the same (or very similar) username that frequents hacking forums, etc. There are breadcrumbs all over the place that people leave. Some larger and some smaller, but breadcrumbs are breadcrumbs at the end of the day.

  5. Hey, if someone catches me red handed doing something illegal, remind me to plead the “ass burger case,” it works all the time in the blue state, doesn’t it?

    • Works as much as people who claim “1st amendment” for everything they do, cause they call it “speech”.

      A person must be diagnosed by a doctor well ahead of time to use it as a defense.. and people don’t just endure the expense and time it takes, just on the chance it may be of benefit in some future prosecution.

      • Dennis said if someone catches him red handed doing something illegal, remind him to plead the “ass burger case”. Clearly it was sarcastic and a joke.

        You can’t compare people claiming 1st amendment rights, which all Americans have, to Asperger’s which is something that a small subset of Americans have.

        • It didn’t seem sarcastic to me. It came across as liberal-bashing and politicizing for no reason.

          Yes, that was my point… that his remark implied that anyone, at any time, could claim this defense, as if it were granted.
          It shows an ignorance of the condition and of the defense, to think that.

          I wasn’t comparing the two defenses, but rather people who would use them. This comparison is regarding the ignorant people who invoke the 1st amendment for anything and everything when it does not apply… to the original comment’s caricature of someone who would blame Asperger Syndrome when they don’t have it.

    • Murder is legal in red states, right? Just have to claim “stand your ground”.

      Much easier than claiming Aspergers… which requires a prior diagnosis from a doctor. With “stand your ground”, you just have to tell the story right. The only other witness is dead.

  6. He’s clearly just a full loser and has no autism or asperger’s, because he makes eye contact and can interact socially with other losers.

    Plus, that hair.

    Another b.s. Alaska Fed prosecution, though. I expect someone will eventually challenge, and win reversal, of the convictions taking place in the alcoholism and suicide armpit of the country, far from a high quality legal defense and defendants’ families.

    • Please stop posting about something you obviously know nothing about.

      Asperger’s/Autism does not present in such a limited way, yes the sterotype is lack of eye contact (think Rainman) but the reality is that folks on the spectrum can in fact present as typical kids and adults not on the spectrum.

      Until you sit down and talk with them.

      My son is autistic and unless you sit down and meet him you can’t tell that he’s not your typical mid 20’s adult male but the minute you do you’ll pick up on it, real fast.

      You can’t base anything on a few pictures and an article and come away knowing if someone is on the spectrum.

      • BeVacuousElsewherePlease

        This has always been the issue with neurotypicals making idiotic assessments of individuals with autism. “Forgive them [neurotypicals] for they know not what they do [always saying stupid stuff about things they know nothing about].”

        Even with a diagnosis on the spectrum, such a diagnosis is separate and apart from any crimes the individual in question may have committed. Many factors would have to be taken in to consideration (including any mitigating factors related to ASD) in handing down any punishment.

        In any case, if this individual *is* on the spectrum, it’s yet another example of wasted talent.

      • The definition of autism was expanded to cover “a spectrum” of behavior, solely to grab larger chunks of research grants and special education funding, and allow doctors to increase their billing for kids with a variety of other disabilities that hadn’t been given much attention.

        The DSM codification was in 1980 and included much more than the original autism definition from 1943. This was a pure money grab by the APA, because insurers only cover disorders that are defined. And by using an expanded definition, it doubled the pool of possible patients they could label as autistic.

        Then in 1987, the definition was further expanded, allowing clients with only part of the original diagnosis to qualify for medical funding. Researchers pushed for this, because it also included adults in the definition of autism, meaning the pool of research subjects would increase and research grants would increase.

        And again in 1994.

        And educators wanted to have their troubled kids to be covered under special education law and funding, which is more costly than general education. Labeling kids lets schools hire more teachers. To do this, they pushed for the DOE to include “spectrum” autism in 1991 for special education funds.

        It’s all about the money.

        The spectrum is a fallacy. There is just one real definition of autism. Everything you think you know is nonsense.

        Pervasive developmental delays attributed to the “autism spectrum” are lies told a generation of kids and adults, born out of greed.

        I don’t blame you for having been the victim of the “Autism Speaks” lies and similar politically motivated advocates; their administrative organization relies on your ignorance to fund their salaries.

        If your kid is that well adapted, he doesn’t have autism. He’s just unique and special. Take that fake label off him, so he doesn’t have to grow up as a cash cow for the education, research, and medical cartel.

        • It’s always about the money! What is the real definition?
          And what is the APA?

          • The science of the DSM is still very sound.
            Money is usually involved, but only after people find a way to abuse the system. But that does not mean the science is flawed or any conspiracy is the cause.

            The real issue is how some people, bigots like Readership1, cannot fathom anything but a black-and-white worldview.

            He holds to the original 1943 definition of autism as if the science was anywhere near as good as it is today. This is before most people even knew that sexuality was a spectrum. Bisexuality was often refuted as nonexistent. Kinsey was still doing his studies in the 40s.

            Most things involving nature or human development, is indeed on a spectrum. Of course we do cluster toward normal. but it takes an understanding of science to realize that the world isn’t truly just black-and-white.
            The science on autism is Light Years ahead of what it was in the 1940s. But I’m sure some bigots wish they could go back to those good old days where blacks drank from separate fountains, interracial marriage was illegal, homosexuality got you disowned, and there was no such thing as a bisexual person.

        • Just another anti-science rant pushing some conspiracy. Anti-vaxxers and climate change deniers have the same world view.

          Talk to an actual scientist sometime, instead of Alex Jones types.

          • What a straw man argument to bring in Anti-Vaxxing lol. Since you brought it up: why are you leftists for people’s “right to choose” when it comes to anything social, but when it’s someone’s right to choose if they vaccinate or not, you’re hypocritically intolerant? If your kids are vaccinated, what does that matter to you if someone else’s are not? Your kids would be protected, right?

            • Apparently it’s not a strawman argument, because you just proved my point that you, who are against the proven psychological definition of autistic, have the same worldview that is generically anti-science, by being anti vax too.
              Your argument is still based on misconceptions and ignorance. But I will answer anyway.

              Liberals are still concerned about the social ramifications , and a right to choose. Even when concerning vaccinations. Every liberal I know would absolutely be fine with parents not vaccinating their kids, if they were homeschooled and were not allowed to mingle with other kids because of their possible contagion. Allowing your kids to attend public school without Basic medical protection, steals the choice of other parents to send their kids to safe schools.

              Even libertarians agree that individual rights only extend an arms reach. And those liberties end as soon as you start affecting other people against their will.

              An individuals right to choose what’s best for them is paramount, but the real issue is how it affects everyone else in society. There are things, the commons, in society that everyone must share. That’s why liberals care so much about air, water, public health.

              You’re tired argument about vaccinated kids already being protected, has been refuted already ad nauseam. This is why I call you anti-science. Because of your refusal to pick up a book or listen to a scientist.

              • If I did my own scientific research on vaccination and I’m convinced not to do it, how is that anti-science? I’d argue that parents who don’t vaccinate are protecting their kids. You have no idea the research that people do which convinces them not to vaccinate. It’s easy to claim “anti-science” when it doesn’t fit your opinion. Just like how everyone is a racist, bigot that doesn’t think the way you do, right? It’s not like one day they’re like, “Ahhhh, today is a good day! Ya know, I hate my kids and I don’t want to keep them protected. I think I won’t vaccinate.”

                Have you read up on vaccine-related injuries? Heck, or even the side effects of vaccines? The side effects, in most cases, outweigh what the vaccine is trying to prevent. I personally know a couple that have a 3-yr old who has a seizure disorder that is confirmed to be from the MMR vaccine. That’s just one case, obviously, but that caused my wife and I to do more research for the time when we do have kids. How can you say that’s anti-science? Because it doesn’t fit your ideology and agenda. Typical left-wing, hypocritical thinking. You shun everyone that has a different opinion than you, but are “tolerant” of those that are of the same mindset. You’re proving that now as you’re arguing with a random person on the internet (much like what I see you do on all of Kreb’s articles by the way) about vaccinations, which doesn’t fit your opinion. Have a great day, Joe. I won’t be checking this again so I’ll let you have the last word–which I know you’re dying to get from what I’ve seen with your other comments. I think you’ll appreciate that 😉

                • “If I did my own scientific research on vaccination and I’m convinced not to do it, how is that anti-science?”

                  Because you don’t actually do “scientific research” you do internet research. And not understanding the difference, is anti-science. If you think that Googling is real science, then that is the root of the problem.
                  There is a reason why the ressurgence of anti-science coincides with the Internet/Youtube generation. Unless you actually get a degree in medicine or work in an actual lab… it is highly unlikely you are actually doing scientific research.

                  “Bigot” has a clear definition, and no, I am not just applying it to anyone who disagrees. The history of Readership1’s comments fall clearly into bigot category.

                  I am sure that parents do beleive they are protecting their kids. They just don’t have the knowledge or education to know what that means. They get confused by false “wisdom” they find on the internet. Real science is not intuitive to the layperson. The science of the very small (like biology) isn’t going to be understood by a soccer mom. This is why doctors garner such trust, because they have the education that cannot be replaced by a few hours Googling and watching Youtube.

                  If an actual doctor confirms that a specific vaccine is a problem for a specific child… that is VERY different. In fact, that is one of the reasons why herd immunity is so important, because some small minority of kids cannot be vaccinated. So if too many kids who can safely get vaccinated, but don’t… that allows it to spread into an epidemic.

                  Wow… your hatred of liberals causes even more ignorance. It isn’t liberals who are against anti-vaxxers… Most anti-vaxxers are liberals. Look at the trends of parents refusing vaccines… mostly hippie, homeopathic liberals.

                  Going back to my original point.
                  Bigots tend to be very anti-science, across different issues. And you are reinforcing my point. It doesn’t matter who gets the last word. If you reply with something sensible, logical, or something that doesn’t warrant a reply, you get the last word as I don’t feel the need to reply. However, if you spout anti-science nonsense that attacks people based on ignorance… yeah, it’ll get a reply.

                  We are all entitled to our own opinion, but not our own facts. And the only factual opinion that matters in fields of science (whether concerning vaccines, climate or brain disorders)… is a scientist. So if my opinion aligns with the consensus of scientist… then it holds more weight than the anti-science conspiracy theorists who get their “wisdom” from the Internet.

  7. Ahhh, does this boy know he has a muskrat on his head…

  8. In reply to sunshine. Wrong to blame a
    lack of something, as Asperger’s is, to a lack of morals.asbergers is a mental path overloaded hampering proper action. A lack of morals, means, sometimes you throw something under the bus. Just for the fun of it. And fun varies for everyone.
    And, an interesting point here, the minor was leading with the reprogramming of the attack vector, sounds as if he may get the job. Or the offer of one.

  9. Botnets+swatting should result in a heavy fine and jail time. He also demonstrated willful misconduct even after being indicted. It’s unlikely he will stop with just a slap on the wrist.

  10. I know you usually call for a little hand holding and coaching for these punks. But put a few in a car crusher and stream it live, and they will be less of these scum pushing buttons of other people.

  11. I find it hard to believe anyone complained about port scanning since it is not illegal. I block the hosting company when I get scanned, but that is totally whack a mole.

  12. Brian:
    Off-topic ….

    Heads-up for upcoming seminar — Asymmetric Threat Symposium XII, Oct 7, George Mason U, Arlington campus.
    http://www.asymmetricthreat.net

  13. Hitler killed millions.
    But…but…he had ailment X and disease Y.
    Poor guy, let’s go easy on him.

  14. whats with the hair?

    • Rube Goldberg's Razor

      D.eliberate D.enial O.f S.cissors attack – a recurring M.O. in this type of criminal activity, often comorbid with male pattern petulance (MPP). };^D

  15. so what I want to know is, who is vamp? in the uk?

    I need to verify a couple of things 1st but it maybe vamp
    that is someone who enjoys playing an evil god ??and
    a creator of a vast fraudulent accessibility framework &
    educational enterprise using bots and background voice assist
    on the basis that the user has speech & hearing issues when
    they dont have any special needs at all! its all a bit sick really
    this group is targeting children and games consoles. several
    other uk individuals, rugby, slough, essex plus usa links
    to MIT, Dallas & Florida (Some relevance to a Dallas CTF Team)
    any info welcomed

  16. Awesome blog post, thanks for sharing

  17. His biggest crime is that haircut. Is that just a weird giant forward-facing poof? Or the front part of a fro-ey Mohawk?

Leave a comment