Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Prolexic Exposes Utility Customer Hit by Massive DDoS Attack

Case Study Exposed Name of Utility Company Hit By Massive DDoS Attack in February

Case Study Exposed Name of Utility Company Hit By Massive DDoS Attack in February

Prolexic, a Hollywood, Florida-based firm that specializes in anti-DDoS offerings to the corporate world , published a case study on Thursday outlining how they were able to stop a massive DDoS attack targeting a utility company that provides electric, water and sewer services in February.

The utility, as it turns out, was Jacksonville’s JEA.

The case study, which intended to keep Jacksonville’s JEA out of the picture, passively revealed their identity and possibly violated disclosure agreements with the security firm. JEA isn’t mentioned specifically, but Prolexic lifted the basic description used in place of JEA’s name directly from their website, making them easy to locate.

On February 17, around 12:00 a.m., JEA’s network was slammed with a Layer 4 DDoS attack. These types of attacks cause the systems targeted to check for connections that simply don’t exist, creating an overload on the CPUs, eventually crashing all services and applications running on them. According to Prolexic, the attackers sent (at peak) 3.3 Gbps of traffic, topping off at 5.7 million packets per-second (5.7 Mpps).

One day after the attacks started, JEA looked for outside for help. It’s unknown how Prolexic won the DDoS mitigation services contract, but they did, and soon discovered that the DDoS attack originated within in the U.S., and directly targeted the back-end IP addresses of the JEA’s Internet-facing network.

On February 19, JEA told customers that their “system is being inundated with data” and that along with JEA.com, most of the utility’s Internet connectivity was out as well, preventing things such as email delivery. Moreover, 155,000 customers were impacted by the DDoS, as the online bill payment system and telephone system were also taken offline. The one good thing for customers concerned about disconnect notices, was that JEA suspended service shutoffs due to non-payment during the event.

Advertisement. Scroll to continue reading.

JEA, as their website explains, is located in Jacksonville, Florida and serves “an estimated 420,000 electric, 305,000 water and 230,000 sewer customers.”

This was the line used by Prolexic, taken word for word from JEA’s “About Us” section. Given that utilities usually don’t like to discuss their vendor relationships publically or details of attacks (even in their aftermath), this PR and marketing mistake may be costly to Prolexic going forward.

Between the case study and JEA’s public notification, there is a discrepancy as to how long the attack lasted. Based on the press release and report from Prolexic, the attack ended “within minutes.” Yet, JEA’s public notice, issued on day three by the attack time-line, says the attack was still taking place.

Other questions remain in this case as well, such the significance (if any) of the attack originating within the U.S., which seems to rule out a state-sponsored attack. Also, no customer data was compromised during the incident, so aside form preventing JEA from using email and processing electronic payments, what were the intentions of the attacker(s)?

In response to an inquiry on being outed by Prolexic, a JEA spokerson told SecurityWeek that while they were disappointed with the incident, they “remain confident in the services they are currently providing.”

The incident was resolved on Feb. 20 and the FBI was notified.

Updated 1:39PM ET with response from JEA.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture

Funding/M&A

Identity and access governance vendor Saviynt has closed a $205 million financing round.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

ICS/OT

Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

Identity & Access

The National Security Agency (NSA) has published a series of recommendations on how to properly configure IP Security (IPsec) Virtual Private Networks (VPNs).