As Russian ground troops prepared to enter Ukraine in February 2021, Ukrainian governmental departments, online media organizations, financial firms, and hosting providers were slammed with a surge of distributed denial-of-service (DDoS) attacks. These attacks only increased in frequency and impact as Russian tanks rolled across the border, adding to the frenzy and chaos of that time.
Quick to hit back, Ukraine's IT Army sprang to life during the early days of the conflict. Much like Ukraine's volunteer army on the ground, recruits flooded in from all over the world to take part in the brewing war being waged online between Russia and Ukraine, with observed DDoS attacks focused on Russian targets increasing by 236% between February and March.
What seems clear is that whether issued by hacktivists or nation-states, DDoS attacks are often the opening salvo between opposing forces in today’s geopolitical conflicts. Compared with other types of cyberthreats, DDoS attacks can be launched relatively quickly. In addition, while DDoS attacks can cause significant disruption on their own, they can also mask or distract attention from more significant threats.
And, as seen in Ukraine and elsewhere, the use of DDoS attacks on the digital battlefield seems to be increasing. This article will examine the history of DDoS attacks for geopolitical conflict compared with recent attacks, providing insights that organizations can use to protect themselves from collateral damage.
2022: A Record-Setting Year for DDoS
The use of DDoS attacks to gain geopolitical advantage is nothing new, but the frequency at which these types of attacks are growing is noteworthy. In the latest "DDoS Threat Intelligence Report," Netscout reported more than 6 million attacks in the first half of 2022. Of these attacks, a majority corresponded with national or regional conflicts.
To continue with the Ukraine example, the frequency of DDoS attacks directed at Ukraine leveled off by April 2022, while cyberattacks ratcheted up against perceived allies of Ukraine. This likely is attributable to Ukrainian Internet properties migrating to countries like Ireland, as instability in the intra-Ukraine Internet forced many network segments to rely upon connectivity in other countries.
Echoes of this conflict continue to resonate across the global Internet. In March 2022, India experienced a measurable increase of DDoS attacks following its abstentions from United Nations Security Council and General Assembly votes condemning Russian actions in Ukraine. Similarly, during the first half of the year, Belize endured its single highest number of DDoS attacks on the same day that it made public statements in support of Ukraine.
Elsewhere, the nation of Finland — a close neighbor of Russia — experienced a 258% percent year-over-year increase in DDoS attacks coinciding with its announcement to apply for membership in NATO. Poland, Romania, Lithuania, and Norway, meanwhile, all were targeted with DDoS attacks by adversaries linked to Killnet, a group of online attackers aligned with Russia.
But these examples rooted in the conflict between Russia and Ukraine are not the only online battlegrounds where fights over geopolitics are being waged. As tensions between Taiwan and China and Hong Kong and China escalated during the first half of the year, DDoS attack campaigns often coincided with public events. For example, in the run-up to Nancy Pelosi's historic visit to Taiwan this summer, the website of Taiwan's presidential office and other government websites went dark due to DDoS attacks. And in Latin America, during a contentious election in Colombia this past year, waves of successive DDoS attacks were launched during the initial vote and the contested runoff.
One common thread is that many of these attacks use known attack vectors and readily available DDoS-for-hire services, also known as booter/stressor services, found on the Dark Web. These illicit services typically offer a restricted tier of free demonstration DDoS attacks to prospective customers, lowering the bar for would-be attackers to rapidly spin up attacks at very little to no cost. However, because these attack vectors are well-known, they can be easily mitigated in most circumstances.
Don't Become Collateral Damage
DDoS attacks have the potential to seriously disrupt Internet operations for their intended targets, but they can also cause a significant collateral impact footprint for bystander organizations and Internet traffic. This risk is particularly high as data hosting and services flow from war-torn regions like Ukraine to locations abroad.
In many of the examples listed above, the effectiveness of attacks largely depended upon whether targeted organizations had organized DDoS defenses. In Ukraine and other countries, disruption was quickly remedied for unprotected organizations as global DDoS defense companies stepped in to help Ukrainian organizations that needed it. However, ongoing defenses are still needed for most organizations.
Amid this environment, the most prudent course of action to prevent collateral damage is to regularly assess DDoS risk factors, especially related to direct service delivery elements, supply chain partners, and other dependencies. Organizations should ensure that critical public-facing servers, services, applications, content, and supporting infrastructure are adequately protected. They also should check to make sure DDoS defense plans reflect ideal current configurations and operational conditions, and that the plans are periodically tested to verify that they can be successfully implemented as required.
In summary, events during the last year have proven that DDoS attacks — whether launched by nation-states, ideological groups, or rogue individuals — will not diminish any time soon. DDoS remains an effective tool for disrupting networks and degrading the morale of countries embroiled in sociopolitical upheaval, with new attacks happening every day. To stay protected in this time of war and geopolitical conflict, organizations must remain vigilant in their defense.