Critical infrastructure sectors including banking, financial services, government, and public utilities such as energy providers, experienced a 55% increase in distributed denial-of-service (DDoS) attacks over the past four years, according to a new report.
Released just days after the revelation of the largest-ever DDoS attack, the Netscout report found that many of these attacks use different vectors, targeting both the application and network layers, and some are intentionally kept small to fall under the typical mitigation thresholds of upstream service providers.
“Recently, we highlighted the activities of geopolitically motivated hacktivists and their coordinated DDoS attack efforts,” network performance monitoring firm Netscout said in its 1H2024 DDoS Threat Intelligence Report. “These threat actors have increasingly expanded their focus to include more specific critical infrastructure targets, resulting in a marked increase in the frequency and intensity of daily attacks.”
Critical infrastructure, also known as operational technology (OT) has been an increasingly urgent focus of the security industry as attacks against power plants, water systems, and other essential systems continue to rise. The national cybersecurity agencies of nine countries — Australia, the US, the UK, Canada, New Zealand, Germany, the Netherlands, Japan, and South Korea — recently endorsed new guidelines that urge organizations managing OT networks to address their threat levels.
Increased hacktivist activities, some of them originating in Russia, have been primarily responsible for a 43% increase in application layer attacks during the first six months of 2024 compared to the same period in 2023, according to Netscout’s telemetry data. During the first half of 2024, the company’s ASERT team also recorded a 30% rise in volumetric attacks that aim to saturate the victim’s network resources, with an average of around 41,000 DDoS attacks every day. These attacks used both amplification and reflection techniques as well as direct-path traffic from large botnets.
Application layer attacks usually target application communication protocols, most commonly HTTP/S in the case of web applications. The goal is to send a very large number of GET or POST HTTP requests to overwhelm the web server’s ability to respond to legitimate requests. These are also known as HTTP floods and are usually expressed in requests per second (rpps).
One pro-Russia hacktivist group that is increasingly focused on such attacks is NoName057(16). This group sprung up in 2022 with the development of a DDoS attack toolkit called DDoSia that’s written in Go and supports multiple operating systems and CPU architectures, allowing its deployment on a wide variety of compromised systems.
NoName057(16) relies on other users who support the Russian government to deploy DDoSia, making it a community effort. As of 2023, the toolkit had over 10,000 users and its Telegram channel had more than 40,000 subscribers. NoName057(16) even provides cryptocurrency incentives to grow the botnet and the targets it chooses are primarily based in Ukraine and NATO countries that provide support to Ukraine.
According to Netscout’s data, during the first half of 2021, public utilities were the second most targeted organizations by NoName057(16) after banks and financial services firms. Manufacturing and insurance were also among the group’s top targets.
Another Russian hacktivist group that weaponizes DDoS is called the Cyber Army of Russia, which has also been operating since 2022. During the first six months of this year, public utilities were the most common target for this group based on Netscout’s data. In July, the US Treasury and State Departments put two members of this group on the sanctions list citing their roles in cyber operations against U.S. critical infrastructure entities.
A third pro-Kremlin hacktivist group that showed up high on the radar in H1 2014 is Anonymous Russia, a group that was once associated with the much more notorious Killnet, another Russian hacking collective that regularly targets Western infrastructure.
Other groups tracked by Netscout that targeted critical infrastructure sectors this year include SYLHET GANG-SG, Bangladesh dark net, CyberDragon, EXECUTOR DDOS, GARUDA FROM CYBER, NIXON CYBER TEAM, RipperSec, and ANON SEC BD.
“These hacktivist groups tend to target specific industries and countries making statements about or giving support to their perceived enemies on the world stage of politics, but they often pick the specific victims arbitrarily,” the ASERT team said in their report. “This means that although we can track the overall trends and expectations of a group to go after a country or industry, it’s nearly impossible to predict ahead of time which websites or individual network resources may be targeted.”
On top of DDoS attacks using a variety of protocols and techniques, other attacks such as brute-force password guessing attempts or exploitation attempts can also result in denial of service if the target application is not designed to handle traffic spikes.
Netscout also notes that while some attacks launched by these groups peak at over 100Gbps, many others are around 1Gbps and 330kpps so they sometimes fall under the mitigation thresholds of upstream providers and cloud scrubbing centers reaching their intended targets.
This does not mean that these attacks don’t have an impact on some small networks and applications. For example, a device’s remote management interface or a purpose-built API for gathering sensor data is not meant to see large amounts of traffic because they are not general-purpose websites.
“Local investigations of the aggregated attack impact per network type revealed that networks with typically lower traffic loads (such as government or nonprofit organizations) report peak attack volumes on the same scale as those experienced by high-traffic networks (such as content and service providers),” the Netscout researchers said. “This indicates that the relative surge in traffic during attacks is significantly higher for lower-traffic networks (≥4 orders of magnitude) compared with high-traffic networks (3 orders of magnitude).”
While DDoS botnets are not new, there is a constant effort by the security industry to track down their command-and-control (C2) servers and shut them down. However, some attackers are adapting by trying to better hide their C2 servers.
For example, a new DDoS botnet written in Go called Zergeca is using DNS over HTTPS (DoH) through the OpenNIC DNS infrastructure in order to resolve its C2 hostnames. This makes it harder for defenders to identify botnet nodes, the ASERT researchers said.
Another botnet that similarly uses DNS-based obfuscation is Aterna or CatDDoS, a botnet that’s based on a variant of the Mirai malware that has been publicly available for years. Other attackers have switched to using botnet attack nodes for C2 purposes as well, this dual user providing better resiliency against takedown attempts.
“Adversaries are forced to adapt to the changes in security posture to succeed in launching effective DDoS attacks,” the researchers said. “In the first half of 2024, there was a significant surge in compromised, botted devices globally, with ASERT observing a nearly 50 percent increase in the numbers of these attack assets in the Asia-Pacific region over the past six months.”
Aside from using a DDoS mitigation service, organizations should build their own detections for malicious traffic patterns, as well as automatically block traffic from known bot nodes that are published in threat intelligence feeds.
Uncommon applications and services should have rate-limiting in place for requests as well as filter lists and all publicly exposed servers and devices should be covered by patch management processes, the researchers said.