A massive cyberattack Friday on a key internet routing company knocked offline major websites like Spotify, Twitter and The New York Times, as WikiLeaks supporters claimed credit.
But security researchers were quick to cast doubt on their boasts. The federal government has said it is investigating, declining to speculate on who is responsible.
Hacktivist groups Anonymous and New World Friday afternoon said they were behind the digital siege, indicating it was retaliation for the Ecuadorian government’s decision to cut off internet access for WikiLeaks founder Julian Assange over his site’s ongoing leaks of alleged internal documents from Hillary Clinton’s presidential campaign.
“The specific target is anything big,” a New World Hackers representative using the alias Prophet said in a text message exchange with POLITICO. “We were testing our power at first.”
However, digital security researchers and U.S. officials preached caution, arguing there is still scant evidence to determine who is behind the attack, warning that both groups have falsely taken credit for high-profile attacks in the past.
Prophet passed POLITICO screenshots of the group’s work as evidence New World Hackers was behind the incident. But security firm Flashpoint, upon reviewing the image, proclaimed the hacker group, "imposters."
The outages affected internet users across the U.S., and caused hundreds of sites to be inaccessible both early in the morning on the East Coast, again around midday and then again after 4 p.m. EST.
White House press secretary Josh Earnest told reporters Friday afternoon that the Department of Homeland Security was "monitoring this situation" and would "take a close look at it.”He called the actions “malicious,” but wouldn’t speculate on who might be responsible.
"DHS and the FBI are aware and are investigating all potential causes,” a DHS spokeswoman told POLITICO.
Speaking on CNN, Rep. Adam Schiff, the top Democrat on the House Intelligence Committee, claimed, "We still don’t know who was responsible," who explained that he had conferred with administration.
But based on what the administration has said publicly, Schiff said, “you would imply this was a cyberattack, not the result of some accidental technological malfunction.”
If that’s the case, the lawmaker vowed: "We’ll get to the bottom of where it came from and the figuring out, of course, the why, is also of vital importance.”
The outages come amid wide-spread concerns in the U.S. over an alleged Russian cyber campaign to disrupt the U.S. election. The Obama administration recently took the unprecedented step of blaming Moscow for directing hackers to meddle with the U.S. electoral process.
Intelligence officials said these Russian hackers infiltrated political organizations — including the Democratic National Committee and the Democratic Congressional Campaign Committee — and laundered their pilfered documents through digital fronts, including the hacker persona "Guccifer 2.0" and possibly WikiLeaks.
WikiLeaks’ latest release — a dump of Clinton campaign chairman John Podesta’s alleged personal emails — drove the Ecuadorian government to ax Julian Assange’s internet last weekend. The activist has been living in Ecuador’s London embassy since the country granted him diplomatic asylum in 2012.
There is no public evidence that Russia is involved in Friday’s outages.
The New World Hackers representative, Prophet, told POLITICO that the group has no linkage to Moscow.
“Russia is against the U.S. and we are against Russia," Prophet said.
New World Hackers has previously taken credit for cyberattacks that hit the Trump hotel chain and the Republican’s presidential campaign website in early 2016, as well as a DDoS attack that brought down Xbox Live.
Prophet insisted the attacks Friday had nothing to do with the U.S. election, and that it was working with Anonymous to protest Assange’s loss of internet access.
“We don’t plan to do anything with the U.S. election, it’s not for us,” Prophet said.
WikiLeaks late Friday called on hackers to halt the digital onslaught.
"We ask supporters to stop taking down the US internet," the anti-secrecy group tweeted. "You proved your point."
Digital security researchers tracking Friday’s attacks advised against jumping to conclusions, arguing that there could be many explanations.
Nick Rossmann, senior project manager at FireEye, noted that New World Hackers have a history of falsely claiming attacks against high-profile entities. He also expressed doubt that the group has the capabilities to conduct an attack on such a scale.
Sean McBride, attack synthesis manager at FireEye iSight Intelligence, added that the assault could be part of a marketing pitch, where dark web hackers draw attention to their powerful abilities, then turn around and offer to sell the malware that powered the DDoS attack.
Global internet routing company Dyn started facing waves of cyberattacks starting earlier Friday morning. The company said the assaults took the form of a DDoS, attack, in which cyberattackers overwhelm networks with fake traffic.
Dyn said on its website that it originally began "monitoring and mitigating" an attack on its systems shortly after 7 a.m EST. By around 9:20 a.m., all services had been restored, the hosting provider added.
But 12:06 p.m., the company said that it had "begun monitoring and mitigating" a new DDoS attack on one of its key services.
The company said it fought off a third round around 4 p.m., and shortly after 6 p.m. it said it had fully resolved the incident. Nonetheless, senior employees said they were preparing for more attacks.
"We’ve seen three waves," said Kyle York, chief strategy officer at Dyn. "There’s no reason why we shouldn’t expect more.”
“We fully expect our teams to be digging in and continuing to do forensics throughout the weekend," he added.
York said that Dyn had been in contact with “the law enforcement community” but would not name the agencies.
Dyn is one of the major providers of Domain Name System services across the world. DNS connects the Internet Protocol addresses of servers hosting websites to the domain names — like google.com — that users type into their web browsers.
Several security researchers identified the malware known as Mirai, recently responsible for one of the largest denial-of-service attacks of all time, as being at least partly to blame for felling major websites today.
Mirai converts Internet of Things devices, like internet-connected cameras, into bots that help flood a target with traffic. The malware was used in a recent history-making attack that targeted the cybersecurity news outlet Krebs on Security.
Dyn confirmed the Mirai involvement, calling the assault "well planned and sophisticated," in a conference call with reporters.
The company said that 10 million Internet Protocol addresses — which identify devices online — were being used to flood its networks with traffic. But it cautioned that devices could, over time, have multiple addresses, meaning the comparison between devices and addresses was not exact.
It’s unclear whether Mirai is the only botnet being used in the incident.
Dale Drew, the chief security officer of Level 3, a major internet service provider, said today that his company had observed 10 percent of Mirai botnet nodes participating in the attack.
For its part, New World Hackers claimed "many botnets" were being used in the assault.
Amazon Web Services also experienced several disruptions related to its use of Dyn’s DNS services, but said it had resumed regular service shortly after 1 p.m.
Services like the code repository GitHub and the customer-relations software firm ZenDesk also announced issues stemming from the attack.
Martin Matishak, Tim Starks and Darren Samuelsohn contributed to this report.