Botnets May Be Known for DDoS, But They Could Also Manipulate Energy Prices


It’s widely known that botnets are commonly used to launch Distributed Denial of Service (DDoS) attacks, but researchers recently demonstrated that threat actors could use them to artificially increase or decrease utility power demand in certain areas, to manipulate the valuation of a tradeable entity. At this month’s Black Hat 2020 conference, researchers from the Georgia Institute of Technology presented a paper, “IoT Skimmer: Energy Market Manipulation through High-Wattage IoT Botnets,” that describes how threat actors could use sophisticated botnets to control high-powered IoT devices, thereby creating electricity demand volatility and a “deliberate and malicious interference with market values.”

According to GovInfoSecurity, “To achieve this, threat actors would need to infect at least 500,000 IoT devices with malware, such as Mirai, the researchers note. The attackers could then artificially increase or decrease power demand within a certain area by regularly switching these devices on and off, the researchers say.” Researchers wrote that high-powered devices include: IoT-connected refrigerators, garage door openers, air conditioners, and heaters.

In theory, Nation States could leverage such attacks in order to wreak economic havoc, while other threat actors may aim to make money by short-selling (buy low, sell high) shares in the impacted utilities. Researchers estimated that a malicious market player in the U.S. could generate $24 million in yearly profit, while a determined nation-state hacker could cause a loss of $350 million per year to U.S. electrical utilities.

However, to influence electricity commodities, threat actors would need sophisticated knowledge of how the utility markets work; in other words, it’s much more complicated than using a botnet to randomly reduce or increase the demand on a utility generator. The perpetrators of such an elaborate scheme would still need to build new botnets with the required capabilities.  Such botnets are often programmable, by the bot owner, as to the tasks they carry out.  This makes it likely they would also be leveraged for launching damaging DDoS attacks and further fueling the availability of DDoS for hire services. The researchers theorized that a successful market manipulation would require a botnet of 50,000 devices, which could be rented for $4,000 per month. That’s a small investment, considering the potential profit of millions of dollars per day.

One thing is clear: DDoS-for-hire services on the Dark Web have a potential new business stream for their botnets; this gives bad actors more financial incentive to build botnets that can also be used for damaging DDoS attacks. The result? Botnets are likely to increase, and so are DDoS attacks. Any organization that depends on the Internet to provide its services should take the DDoS threat seriously, and enable an always-on, automated DDoS defense solution.

Fortunately, the energy market manipulation attack has not yet been seen in the wild; let’s hope this research doesn’t give cybercriminals further motivation or ideas. The researchers’ aim was to bring this potential threat to the attention of market operators so, they also recommended countermeasures, including the establishment of a real-time IoT monitoring database, and data privacy plans.

The ideal solution would be to prevent the formation of such botnets but, as mentioned in previous blog posts, that is unlikely due to the poor security posture of the vast majority of IoT devices. Here are the trends that various stakeholders and end-users can strive towards:

  1. Greater success among law enforcement agencies in prosecuting/dismantling DDoS-for-hire operations;
  2. Increased compliance among global users regarding changing the default passwords on their IoT devices and installing security patches/updates;
  3. Improved built-in security architecture for IoT devices.

For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here.  If you’d like to learn more, please contact us.

Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.