Updated at 6:15 p.m.
In the days leading up to the election, Donald Trump’s and Hillary Clinton’s campaign websites saw a series of brief surges in traffic. The visitors didn’t appear to be undecided voters—or human at all. Instead, according to cybersecurity researchers at Flashpoint, the hits came from a horde of internet-connected devices, controlled by a strain of the same malware that was used in the coordinated attack that slowed the internet up and down the East Coast of the United States last month.
The spikes in traffic were amateur attempts at launching denial-of-service attacks against the candidates’ websites, the researchers concluded. By sending a stampede of fake visitors through the front door in a very short amount of time, the attackers tried to bring down the campaign websites. They didn’t succeed, though: Neither website experienced an outage.
Flashpoint detected four attacks in the 48 hours before election day. All four of them targeted the donation page on Trump’s website, and the last one also took aim at Clinton’s. Each lasted only 30 seconds. There’s no evidence the attacks were coordinated—in fact, they were probably launched by competitors, according to John Costello, a senior analyst at Flashpoint.
Why were they so short? “The most likely explanation is that it is a probe to see if the site will go down,” said Allison Nixon, Flashpoint’s director of security research. “If it does, the attacker may push out longer attacks. In this case, no downtime was observed, and no longer attacks followed.”
Each of the attacks seemed to come from a different group. They were probably perpetrated by “unsophisticated actors” reusing publicly available malware, Nixon and two other Flashpoint security analysts wrote in a blog post published Monday evening.
The tool that powered the attacks is called Mirai. It works by exploiting weaknesses in certain internet-connected devices, like DVRs and webcams, in order to take control of a large number of them, turning them into “bots” in its “botnet.” Once a hacker is in command of an army of devices, he or she can direct it to send simultaneous internet requests to the same target, with the aim of to overloading it with traffic and shutting it down.
Mirai’s code was released on the internet last month. It was used in the massive attack on critical internet infrastructure that made certain sites totally inaccessible in late October. So why weren’t the attacks on Trump’s and Clinton’s campaign websites as devastating?
The brief duration of the attacks is probably one reason, but it might also have something to do with the wide distribution of Mirai itself. Now that Mirai is publicly available, a lot of hackers are vying for control over the same group of vulnerable devices. Instead of one, massive botnet, the devices are divided up into many small, competing botnets, making it harder for any one hacker to launch a massive attack.
That may not be true for long, though. The code is likely to evolve to exploit other vulnerable devices that Mirai doesn’t currently target, Nixon said.
Even though the attacks were trained on electoral targets, Flashpoint has determined that they probably weren’t the work of a state actor. Instead, it’s likely that run-of-the-mill hackers are taking advantage of a widespread fear of foreign tampering on election day to make a point in front of the whole world. (There’s no good way of knowing where the attackers are located.) “These hackers tend to be primarily motivated by the desire for attention, credibility, or ‘trolling’ via disruption and chaos,” the researchers wrote.
Actual election-related infrastructure remains unharmed.