Friday's massive internet disruption came from hackers using an estimated 100,000 devices, many of which have been infected with a notorious malware that can take over cameras and DVRs, said DNS provider Dyn.
"We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets," Dyn said in a Wednesday blog post.
The malware known as Mirai had already been blamed for causing at least part of Friday's distributed denial-of-service attack, which targeted Dyn and slowed access to many popular sites in the U.S.
But on Wednesday, Dyn provided new findings, saying Mirai-infected devices were actually the primary source for Friday's internet disruption.
The statement also suggests that the hackers behind the attack may have been holding back. Companies have observed variants of the Mirai malware spreading to more than 500,000 devices built with weak default passwords, making them easy to infect.
Given that Friday's disruption involved only 100,000 devices, it's possible the hackers could have launched an even more powerful DDoS attack, said Ofer Gayer, a security researcher with Imperva, a DDoS mitigation provider.
"Maybe this was just a warning shot," he said. "Maybe [the hackers] knew it was enough and didn't need their full arsenal."
Hackers have typically used DDoS attacks to flood individual websites with an overwhelming amount of traffic, forcing them offline. Often times, the goal is extortion, Gayer said. But last Friday's attack stood out for targeting Dyn, a vital internet infrastructure provider, and slowing access to more than a dozen sites.
"Somebody actually pulled the trigger," Gayer said. "They built the largest botnet they could to take down the biggest targets."
In addition to Friday's incident, Imperva has noticed Mirai-powered botnets attacking its own website and those belonging to its clients. One attack in August was fairly large at 280 Gbps of traffic.
"Most companies will crumble at 10 Gbps. The biggest companies will crumble at 100 Gbps," Gayer said.
Imperva has also observed that many of the infected-Mirai devices were sourced to IP addresses in 164 countries, with a large number based in Vietnam, Brazil, and the U.S. Most of these devices are also CCTV cameras.
Although DDoS attacks are nothing new, Mirai-infected devices are able to launch exceptionally large assaults due to their sheer numbers and their access to high internet bandwidth connectivity. Last month, for instance, a Mirai botnet attacked a website owned by cybersecurity journalist Brian Krebs with 665 Gbps of traffic, temporarily taking it down.
It's still unclear who launched Friday's attack, but some security experts suspect that amateur hackers were involved. Late last month, the unknown developer of Mirai released its source code to the hacking community, meaning anyone with some hacking ability can use it.
Although Mirai has been blamed for much of last week's internet disruption, other botnets were also involved, according to internet backbone provider Level 3 Communications.
"We’ve seen at least one, maybe two behaviors that aren’t consistent with Mirai," Level 3 CSO Dale Drew said in an email.
It's possible the hackers behind Friday's attack used multiple botnets in order to avoid detection, the company added.