Industry News

Man sentenced, two others charged, in connection with Satori IoT botnet

22-year old man from Vancouver, Washington, has been sentenced to a US federal prison for his role in the development of the Satori botnet, which launched distributed denial-of-service (DDoS) attacks from hijacked IoT devices.

The Satori botnet, based upon similar code to the notorious Mirai botnet which knocked major websites offline in 2016, is thought to have compromised hundreds of thousands of IoT devices, exploiting vulnerabilities to even infect routers wrongly assumed to have been protected with strong passwords.

Kenneth Currin Schuchman, who used the online handle “Nexus-Zeta”, was sentenced yesterday to 13 months in prison, having previously pleaded guilty to charges under the Computer Fraud & Abuse Act. In addition, Schuchman has been ordered to serve 18 months of community confinement to help him address mental health and substance abuse issues, and a three year term of supervised release.

After being initially charged in August 2018 Schuchman was released to pretrial supervision, but broke the terms of his release by making the astonishing decision to continue to create and operate a DDoS botnet, and communicate with his co-conspirators.

In one Discord chat with a co-conspirator using the handle “Viktor”, Schuchman is reminded that he is not supposed to be using the internet without the supervision of his father.

The conversation is accompanied by a screen capture from Schuchman’s conditions of release.

Schuchman, who has already spent 13 months confined in a jail in Alaska, is not the only person of interest to law enforcement as it investigates the Satori botnet.

As Brian Krebs reports, minutes after Schuchman’s sentencing the US Department of Justice charged men from Canada and Northern Ireland for their alleged involvement in the Satori and related IoT botnets.

Aaron Sterritt, 20, from Larne, Northern Ireland and 31-year-old Logan Shwydiuk of Saskatoon, Canada are said by prosecutors to have built, maintained, and sold access to the botnets under their control.

Sterritt is particularly of interest. According to the Department of Justice he was a criminal associate of Schuchman, and used the aliases “Viktor” or “Vamp.” As a teenager he was involved in the high-profile hack of TalkTalk, sentenced to 50 hours community service, and – perhaps most painfully of all – ordered to write a letter apologising to the telecoms firm.

It’s no excuse for criminal behaviour, of course, but the Satori botnet would not have been capable of launching crippling DDoS attacks if it hadn’t successfully recruited vulnerable routers and other IoT devices to form part of its army.

Businesses and home users can play their part by ensuring that IoT devices are not using default or easy-to-crack passwords, are running the latest security patches, and are properly configured and defended to reduce the threat surface.

But there is also a need for manufacturers to build more secure devices in the first place, and to ensure that when a new vulnerability is discovered that it can be easily rolled out to protect customers and the rest of the internet.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.