Full Report
Millions of hijacked devices powered traffic floods targeting defense systems and beyond The US government has moved to disrupt a cluster of IoT botnets behind some of the largest DDoS attacks ever recorded, including traffic bursts topping 30 terabits per second.…
Analysis Summary
# Incident Report: Federal Disruption of Record-Breaking IoT Botnets (Aisuru, KimWolf, JackSkid, Mossad)
## Executive Summary
The US Department of Justice, in coordination with international partners, disrupted a massive cluster of four IoT botnets (Aisuru, KimWolf, JackSkid, and Mossad) responsible for the largest DDoS attacks in history. Comprising over three million hijacked devices, the infrastructure generated traffic bursts exceeding 30 Tbps, targeting critical infrastructure and defense systems worldwide. The operation successfully seized command-and-control (C2) domains and backend systems, neutralizing the immediate threat posed by these networks.
## Incident Details
- **Discovery Date:** Pre-March 2026 (Investigation duration unspecified)
- **Incident Date:** Active leading up to disruption on March 20, 2026
- **Affected Organization:** Multiple, including the US Department of Defense and global private/public sectors
- **Sector:** Defense, Government, Technology, and General Public
- **Geography:** Worldwide (Infrastructural disruption coordinated in US, Germany, and Canada)
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing period prior to March 2026
- **Vector:** Exploitation of weak credentials and unpatched vulnerabilities
- **Details:** Attackers targeted "soft" IoT devices including routers, IP cameras, and DVRs with default passwords or outdated firmware.
### Lateral Movement
- **Details:** Not explicitly detailed in the report, though the botnets grew via automated scanning and self-propagation across the global internet.
### Data Exfiltration/Impact
- **Impact:** Hundreds of thousands of DDoS attacks. Peak traffic measured at 30+ Terabits per second (Tbps).
- **Extortion:** Operators utilized the botnets to extort victims, threatening sustained downtime for payment.
### Detection & Response
- **Detection:** Monitoring of massive traffic spikes and high-volume DDoS activity by federal authorities.
- **Response Actions:** A coordinated international "takedown" operation seized command-and-control infrastructure and backend domains.
## Attack Methodology
- **Initial Access:** Brute-forcing weak/default credentials; exploitation of unpatched firmware vulnerabilities.
- **Persistence:** Resident malware on IoT firmware (persists until device reboot or reflash).
- **Privilege Escalation:** Not specified; typically inherent in IoT vulnerabilities (root access via telnet/SSH).
- **Defense Evasion:** Use of millions of disparate IP addresses to mask attack origins (volumetric exhaustion).
- **Credential Access:** Targeting default manufacturer credentials.
- **Discovery:** Automated scanning of the IPv4 address space for open ports (e.g., 23, 80, 8080).
- **Lateral Movement:** Self-propagating worm-like behavior across IoT devices.
- **Collection:** N/A (Focus was on DDoS, not data theft).
- **Exfiltration:** N/A.
- **Impact:** Massive Resource Exhaustion; DDoS-for-hire services; financial extortion.
## Impact Assessment
- **Financial:** Significant potential losses due to extortion and operational downtime; specific figures not disclosed.
- **Data Breach:** No data theft reported; focus was on availability (DDoS).
- **Operational:** Disruption of Department of Defense systems and thousands of other organizations.
- **Reputational:** High-profile demonstration of the vulnerability of the global IoT ecosystem.
## Indicators of Compromise
- **Network Indicators:**
- High-volume traffic originating from hijacked IoT IPs (Note: IPs vary by millions).
- Connections to C2 domains associated with:
- aisuru[.]net (defanged)
- kimwolf[.]com (defanged)
- jackskid[.]org (defanged)
- mossad[.]io (defanged)
- **File Indicators:** Not provided; malware typically resides in volatile memory on IoT devices.
- **Behavioral Indicators:** Sudden spikes in outbound bandwidth from local IoT devices; devices becoming unresponsive to management.
## Response Actions
- **Containment:** International seizure of C2 domains to prevent operators from sending commands.
- **Eradication:** Disruption of backend servers used to manage the bot fleets.
- **Recovery:** Mitigation of traffic for affected victims once C2 was severed.
## Lessons Learned
- **IoT Security Gap:** The continued shipment of devices with default passwords and no "update-by-default" mechanism provides an infinite recruitment pool for botnets.
- **Scale of Attacks:** DDoS attacks have reached a "terabit-era" where individual organizations cannot defend against 30 Tbps without carrier-level intervention.
- **International Cooperation:** Complex botnet takedowns require multi-jurisdictional cooperation (US, Germany, Canada) to be effective.
## Recommendations
- **Device Hardening:** Change all default passwords on IoT devices immediately upon deployment.
- **Network Segmentation:** Place IoT devices (cameras, DVRs) on isolated VLANS with no direct access to the management interface from the public internet.
- **Firmware Management:** Regularly audit and update firmware for all internet-facing hardware.
- **DDoS Mitigation:** Organizations should employ cloud-based scrubbing services capable of handling volumetric attacks exceeding several terabits per second.