I speak a lot at conferences. A common question I receive is “Why do DDoS attack keep occurring?” My answer is two-fold. One. It’s so easy to execute. Whether it be Do It Yourself DDoS attack tools, or DDoS Attack for Hire Services (sold as network / bootstresser services), anyone without any technical skills can execute a DDoS attack.
Second. There are many motivations behind the launch of a DDoS attack. The chart below from our 13th Annual WISR shows only the Top 5 Motivations.
The motivation that has always intrigued me the most is Political/ Ideological Dispute. To help explain this motivation I use the term” Cyber Reflection.” Think of it this way. Have you ever noticed that during most media attracting events, (e.g. a major sporting event, world summits, or major political elections /decisions) there’s always a video/picture of humans demonstrating their point of view? These demonstrations occur on the streets outside the events, where you see things like protest signs, flags being burned, various forms of vandalism etc. Many times, there’s another demonstration occurring simultaneously - in cyber space. These demonstrations are in the form of a DDoS attack. Why? It goes back to the first reason I mentioned – it’s so easy to launch, anyone can do it.
My message to the audience is always… “Be vigilant.” You don’t need to be the center of the geopolitical event to be the target. For example, many times during a major sporting event, DDoS attacks are launched against the sponsors or financial backers of the event, not the event itself. The 20 Year History of DDoS attacks is filled with such events - many of them stemmed from political/ideological disputes.
Here’s one you can think about that’s related to recent events. On May 8, President Donald Trump announced the United States will be withdrawing from the Joint Comprehensive Plan of Action (JCPOA), also known as the Iranian Nuclear Deal. As anticipated, this garnished major media attention and supporters quickly lined up on both sides of the decision - and again you saw demonstrations on the streets.
No sooner had this announcement been made did former White House Cybersecurity Coordinator under president Barack Obama, Michael Daniels, send a warning that it’s likely that there will be a new round of DDoS attacks out of Iran as a result of President Trump’s decision – thus the pending Cyber Reflection.
The Iranians are not new to DDoS attacks. In 2012-2013, they launched a series of DDoS attacks against U.S. financial institutions – code named Operation Ababil. Arbor’s ASERT has also written much about this as these attacks have come to represent the modern-day multi-vector DDoS attack.
In some cases, political / ideological disputes are not the work of your run of the mill protestor, they are perpetrated by well-organized, highly skilled attack groups affiliated with and/or funded by nation states. In fact, after years of investigating Operation Ababil, the FBI arrested several Iranian nationals for their involvement in the attacks executed on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps.
According to ASERT’s Jill Sopko, who specializes in Iranian and Middle East cyber activity, “But it’s not just the Iranians we should be vigilant about…The middle east/western Asia is a hot bed of activity. We’ve moved our U.S. embassy to Jerusalem. Have huge arms deals with the Saudis (who are fighting Yemenis). Nearly everyone in the area is either at war or in some sort of proxy war. The entire area is a hotbed of activity and DDoS is not only a capability most of the nation states there have – but anyone has. DDoS attacks could come from anywhere, from anyone, and we are not popular.”
So, in conclusion, I’m not predicting there will be another series of DDoS attacks launched against U.S. financial institutions because of us pulling out of the Iranian Nuclear Deal - aka Operation Ababil v2.0. All I’m saying is that, every once in a while, raise your head from the thousands of SIEM alerts you're investigating and simply turn on your TV. When you see a major geopolitical event, ask yourself, “Am I remotely associated with that event and if so, should I be on the lookout for a DDoS attack?”
Be vigilant of the Cyber Reflection my friends.