Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

DDoS Hacktivism is Back With a Geopolitical Vengeance

DDoS attacks have evolved from social protests through criminal extortion, hack attack smokescreens and competitor suppression to geopolitical vengeance.

Secure Network Perimeter

Distributed denial of service (DDoS) attacks have evolved from social protests through criminal extortion, hack attack smokescreens and competitor suppression to geopolitical vengeance. All these drivers currently coexist, but aggressive geopolitical revenge now dominates.

This is the primary conclusion to be drawn from StormWall’s Q4 2023 review of global DDoS attacks. StormWall, based in Bratislava, Slovakia, offers a DDoS protection service delivered through a global network of scrubbing centers.

The effect of geopolitics is clearly seen in the timing and volume of current attacks against Israel. In Q3, 2023, less than 1% of global attacks targeted Israel. But following the Hamas raid on October 7, 2023, and the retaliatory invasion of Gaza by the Israeli military, this number leapt to 10.6% — with size and durations ranging from 1.2 Gbps to 135 Gbps, and from a few minutes to 24 hours. In Q4, 2023, tiny Israel became the fourth most DDoS attacked nation in the world, behind China (12.6%), USA (12.2%) and India (11.7%). 

Other indications of a geopolitical motivation behind DDoS attacks can be seen in the individual targets. StormWall’s figures show that government (21% of attacks), retail (17%), telecommunications (15%), finance (12%), and energy (9%) are the five most attacked sectors. All but retail could be described as mainstream critical infrastructure and are primary targets for any attacker wishing to inflict economic damage and disturbance on an enemy. These targets further support the idea that DDoS hacktivism is now largely driven by geopolitical vengeance.

Retail is a bit of an anomaly. Attacking individual shops or retail chains would disrupt the companies, but not the economy. Compare the economic effect to that of taking down large swathes of the internet through targeting telecommunications.

For retail, all Q4 figures are disturbed by the holiday season, but it is still anomalous. StormWall posits the possibility that retail DDoS figures are affected by several non-geopolitical attacks: over-aggressive competitors.

It is impossible to determine the individual actors behind a DDoS attack without their public claim of responsibility (Killnet?). Only the target is clear. However, in the same way that malware researchers detect clues allowing them to suggest ‘with some confidence, we believe that nnn group is behind this attack’, so too can DDoS defenders point the finger in general directions.

In the case of retail, StormWall CMO, Daniil Korolev, told SecurityWeek that monitoring the IT Army of Ukraine (the world’s largest semi-visible group of geopolitical activists) shows no geopolitical interest in targeting retail. “These guys have certain patterns in their attacks. By cross examination we can deduce they have almost zero interest in retail. You can be pretty sure that retail is attacked by competitors because they are never of interest to a hacktivist group — they’re just not that interesting.” 

Advertisement. Scroll to continue reading.

If not geopolitics, what motivations remain? The primary options are criminals for extortion (the loss of e-commerce sales during the holiday season could be critical), and unfair competitors.

Further indications of the vengeance motive can be seen in the dominance of government as an attack sector, and the rapid rise of the energy sector. Twenty-one percent of all attacks were against the government sector, with a 162% year on year increase. “These attacks, first focused mostly on Europe, have now spread to the Middle East due to the Israel-Palestine conflict,” says StormWall. European targets were probably in response to UK and EU support for Ukraine, but the focus has now shifted to Israel.

The energy sector has also seen an escalation in attacks – a 109% increase year on year, now representing 9% of all attacks. The energy sector serves as both a target for, and a source of, DDoS attacks. “Attackers are also targeting IoT devices used in energy plant operations to initiate further botnet attacks,” warns StormWall.

Eighty-six percent of all attacks were HTTP/HTTPS attacks, while 9% targeted TCP/UDP. However, StormWall calls attention to the growth in DNS laundering (where attackers bombard DNS servers with requests for random subdomains), and mDNS attacks that exploit local network protocols to amplify attacks.

Attacks by sector

More specifically, the firm notes, “There’s been an increase in botnet, DNS amplification, and multi-vector attacks. Notably, Hyper-Volumetric HTTP DDoS attacks exploited the HTTP/2 rapid reset flaw.” Most of the attacks are short in duration, lasting less than 30 minutes. Such attacks are often designed to test the target’s defenses, before a larger assault is launched.

Nobody is immune from a DDoS attack. While geopolitics dominates the attack motivation, it is not the only motivation. The entertainment industry is still subject to criminal extortion. The retail, finance, and logistics sectors all saw a spike in attacks during key shopping periods like Black Friday and the Christmas-New Year season, “often driven by competitors”, suggests StormWall.

“Our data from Q4 2024 clearly demonstrates how quickly the threat landscape can evolve in response to global events,” warns Ramil Khantimirov, CEO and co-founder of StormWall. “If online infrastructures aren’t prepared now, setting up DDoS protection becomes much harder once they’re targeted.” Preparation to defend against DDoS is a better tactic than hope.

Related: Were 3 Million Toothbrushes Really Used for a DDoS Attack?

Related: MySQL Servers, Docker Hosts Infected With DDoS Malware

Related: Major ChatGPT Outage Caused by DDoS Attack

Related: Organizations Respond to HTTP/2 Zero-Day Exploited for DDoS Attacks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.