Could you be the target of a state-sponsored DDoS attack?
Please don’t panic, but there may be sovereign nations out there planning to cyber-attack you.
Why?
Before we answer that, let’s take a look at recent events:
- Ukrainian government websites have been targeted in ongoing DDoS attacks since Russia’s invasion of the country on February 24. These followed similar attacks, attributed to the Russian government, against military and financial institutions in Ukraine less than ten days earlier.
- The Russian government has been promoting the narrative that their networks are also facing DDoS attacks by foreign governments. While there is no evidence yet for this specific claim, private actors have launched such attacks on Russian websites and the Ukrainian government is openly coordinating hacktivists in what has been dubbed the “IT Army of Ukraine”.
- On March 14, 2022, a massive cyber-attack – identified as the largest DDoS assault ever carried out against Israel – forced several Israeli government websites offline. The working assumption in Israel is that the attack was perpetrated by an enemy state, such as Iran, as part of a low-intensity war (being waged both physically and virtually).
DDoS attacks are relatively easy to generate and they leave no permanent footprint, making it hard to trace back the attacker. A state-sponsored DDoS, which is more common than you might suspect, is generally a well-funded, orchestrated campaign executed by professionals. They can be carried out by advanced persistent threat (APT) actors, which are typically state-backed groups conducting large-scale targeted intrusions for specific goals.
Some DDoS attacks are carried out by “mercenary” unaffiliated hackers, hired on the sly by a government to target its enemies. There is good evidence, for example, that Russia hires cyber “pirates” who agree to a moratorium on hitting Russian assets in exchange for services performed for Moscow.
Another possible marker of state-sponsored DDoS attacks is their size. While they can be both network and application attacks, when the level of targeted traffic exceeds hundreds of gigabits per second, you have a pattern more consistent with a state actor than with a typical hacktivist or criminal. In 2020, for example, we at Red Button were involved in mitigating one of the largest volumetric attacks ever, with over 1.2 Tbps of hostile traffic.
Chaos anywhere, to undermine confidence everywhere
State-sponsored DDoS can be used to disrupt critical financial, health and infrastructure services in enemy countries. In many cases, the main goal of the state sponsor is to undermine the reputation of their adversary, regardless of the actual chaos they can create. This can serve their interest by undermining domestic and international confidence in the targeted state’s institutions, disrupting daily life, and bringing attention to the attacker’s political narrative.
To that end, state-sponsored attackers do not only focus on government agencies. They also often seek to disrupt high-profile commercial entities seen as a symbol of the targeted state in some way, such as banks, financial institutions, news outlets, large e-commerce sites and the like.
While the recent DDoS attack on Israel targeted the communications provider for all websites using the gov.il domain, in Ukraine and Russia the alleged targets include financial institutions. Similarly, the allegedly Iran-backed OpAbabil series of DDoS attacks in 2012, which we had a hand in combatting, targeted various private American financial institutions such as J.P. Morgan Chase.
The targets of such state-sponsored DDoS campaigns may even be third parties or organizations in countries believed to be supporting one side or another in an international conflict. Since the Russian invasion of Ukraine, for example, we have seen a growing concern among our clients regarding DDoS attacks in the US, Europe and Asia. Governments and major businesses that are not directly involved in the conflict are on alert, as it is hard to predict how far the cyber-warriors will go.
What should you do?
So, to return to our initial warning: Yes, you may be next. But there are a few things you can do to protect yourself.
- Evaluate your organization’s vulnerability to DDoS attacks.
- Run a controlled DDoS test. It never fails to reveal opportunities for significant improvements to cyber-security. These can even include simple fixes like a better configuration.
- Write down specific steps to be taken in the event of a DDoS attack, with defined responsibilities already assigned. Better now than in the heat of battle.
And most importantly, after you’ve taken these precautions, stay vigilant. But don’t worry – it’s not good for your health.