Case Study Exposed Name of Utility Company Hit By Massive DDoS Attack in February
Prolexic, a Hollywood, Florida-based firm that specializes in anti-DDoS offerings to the corporate world , published a case study on Thursday outlining how they were able to stop a massive DDoS attack targeting a utility company that provides electric, water and sewer services in February.
The utility, as it turns out, was Jacksonville’s JEA.
The case study, which intended to keep Jacksonville’s JEA out of the picture, passively revealed their identity and possibly violated disclosure agreements with the security firm. JEA isn’t mentioned specifically, but Prolexic lifted the basic description used in place of JEA’s name directly from their website, making them easy to locate.
On February 17, around 12:00 a.m., JEA’s network was slammed with a Layer 4 DDoS attack. These types of attacks cause the systems targeted to check for connections that simply don’t exist, creating an overload on the CPUs, eventually crashing all services and applications running on them. According to Prolexic, the attackers sent (at peak) 3.3 Gbps of traffic, topping off at 5.7 million packets per-second (5.7 Mpps).
One day after the attacks started, JEA looked for outside for help. It’s unknown how Prolexic won the DDoS mitigation services contract, but they did, and soon discovered that the DDoS attack originated within in the U.S., and directly targeted the back-end IP addresses of the JEA’s Internet-facing network.
On February 19, JEA told customers that their “system is being inundated with data” and that along with JEA.com, most of the utility’s Internet connectivity was out as well, preventing things such as email delivery. Moreover, 155,000 customers were impacted by the DDoS, as the online bill payment system and telephone system were also taken offline. The one good thing for customers concerned about disconnect notices, was that JEA suspended service shutoffs due to non-payment during the event.
JEA, as their website explains, is located in Jacksonville, Florida and serves “an estimated 420,000 electric, 305,000 water and 230,000 sewer customers.”
This was the line used by Prolexic, taken word for word from JEA’s “About Us” section. Given that utilities usually don’t like to discuss their vendor relationships publically or details of attacks (even in their aftermath), this PR and marketing mistake may be costly to Prolexic going forward.
Between the case study and JEA’s public notification, there is a discrepancy as to how long the attack lasted. Based on the press release and report from Prolexic, the attack ended “within minutes.” Yet, JEA’s public notice, issued on day three by the attack time-line, says the attack was still taking place.
Other questions remain in this case as well, such the significance (if any) of the attack originating within the U.S., which seems to rule out a state-sponsored attack. Also, no customer data was compromised during the incident, so aside form preventing JEA from using email and processing electronic payments, what were the intentions of the attacker(s)?
In response to an inquiry on being outed by Prolexic, a JEA spokerson told SecurityWeek that while they were disappointed with the incident, they “remain confident in the services they are currently providing.”
The incident was resolved on Feb. 20 and the FBI was notified.
Updated 1:39PM ET with response from JEA.