Full Report
The post ‘Rapper Bot’ hit the Pentagon in at least 3 cyberattacks appeared first on CyberScoop.
Analysis Summary
# Incident Report: Botnet-Enabled Extortion Campaign Targeting DODIN
## Executive Summary
A massive, powerful botnet known as "Rapper Bot" (also called CowBot or Eleven Eleven Botnet) was used in a wide-scale extortion campaign that targeted global entities, including the Department of Defense Information Network (DODIN). The attack vector primarily utilized compromised Internet of Things (IoT) devices to launch high-volume Distributed Denial of Service (DDoS) attacks. U.S. government authorities successfully charged the alleged operator, Ethan Foltz, and gained control of the malware web, leading to the disruption of the campaign between April and August 2025.
## Incident Details
- Discovery Date: Between April and August 2025 (when attacks were ongoing/authorities gained control).
- Incident Date: Attacks occurred between April 2025 and August 2025. The botnet has been active since at least 2021.
- Affected Organization: Department of Defense Information Network (DODIN), technology companies, and a social media platform.
- Sector: Government/Defense.
- Geography: Global impact, heavily concentrated in China, Japan, the United States, Ireland, and Hong Kong.
## Timeline of Events
### Initial Access
- Date/Time: Ongoing since at least 2021; primary incident window detailed is April to August 2025.
- Vector: Infection of Internet of Things (IoT) computers and devices (iPads, appliances, digital recorders, WiFi routers).
- Details: Infected devices were forced to join the botnet to send large volumes of traffic to victims.
### Lateral Movement
- Not explicitly detailed for the DODIN victim, as the impact was a direct DDoS attack. The focus was on the massive scale of the compromised IoT ecosystem.
### Data Exfiltration/Impact
- Impact: Distributed Denial of Service (DDoS) attacks aimed at denying service/communication capability. At least three distinct DDoS attacks targeted DOD IP addresses/DODIN during the window. The largest recorded attacks may have exceeded six terabits per second.
### Detection & Response
- **Detection:** Detection was handled by the DOD’s robust network defense team, which manages routine botnet targeting. The broader operation was disrupted when U.S. government authorities gained control of the disruptive malware web in August 2025.
- **Response Actions:** Federal prosecutors in Alaska charged 22-year-old Ethan Foltz on August 19, 2025, for allegedly running the operation, marking a major disruption.
## Attack Methodology
- Initial Access: Compromising IoT devices globally.
- Persistence: Maintaining control over the infected IoT devices within the botnet architecture.
- Privilege Escalation: Not specified, as the primary method was volume-based DDoS attacks rather than internal network privilege escalation.
- Defense Evasion: Obscuring the source of attacks through the massive distribution across 65,000–95,000 unique global devices.
- Credential Access: Not specified (DDoS attack focus).
- Discovery: Not specified (DDoS attack focus).
- Lateral Movement: Not specified (DDoS attack focus).
- Collection: Not specified (DDoS attack focus).
- Exfiltration: N/A (The primary action was denial of service, not data theft).
- Impact: Denial of Service (DDoS).
## Impact Assessment
- Financial: A DDoS attack averaging over two terabits per second for 30 seconds could cost a victim between \$500 and \$10,000. Total financial impact across all 18,000 victims is substantial.
- Data Breach: None reported; the attack mechanism was volumetric DDoS.
- Operational: At least three instances of service disruption against DOD IP addresses/DODIN assets.
- Reputational: Minimal public impact regarding the DOD attacks, as details were controlled post-disruption.
## Indicators of Compromise
*Note: Indicators are provided based on the characteristics of the known malware.*
- **Network Indicators (Defanged):** Traffic volume potentially exceeding 6 Tbps; high numbers of connections originating from compromised IoT devices.
- **File Indicators:** N/A (Focus was on malware commanding devices).
- **Behavioral Indicators:** High-tempo, high-volume internet traffic directed at victim systems overwhelming network capacity.
## Response Actions
- **Containment Measures:** The wider Rapper Bot infrastructure was neutralized when U.S. authorities gained control of the malware web (August 2025).
- **Eradication Steps:** Arrest and charging of the alleged administrator, Ethan Foltz (August 20, 2025).
- **Recovery Actions:** The DOD network defense team successfully handled the three reported attacks, demonstrating network resilience.
## Lessons Learned
- **Key Takeaways:** The immense threat posed by massive, sophisticated botnets leveraging vulnerable IoT ecosystems is significant, even against highly defended networks like the DODIN. Rapper Bot was ranked as "among the most powerful DDoS botnets to have ever existed."
- **What could have been done better:** While the DOD successfully defended against the specific attacks, the ongoing nature of IoT infection suggests a continuous need for improved IoT security across critical infrastructure and the defense supply chain.
## Recommendations
- Enhance monitoring specifically for geographically distributed, high-volume traffic patterns characteristic of massive botnet DDoS attacks.
- Continue rigorous efforts to secure and monitor Internet of Things (IoT) assets connected to or interacting with enterprise and government networks to prevent device recruitment into botnets.