Cyber Reflection

Attackers use DDoS in response to sociopolitical events worldwide

Black image of battle ground

Labor and talent shortages. Lack of effective cybersecurity tools. Stagnant budgets. Ransomware, insider threats, supply chain breaches. The list of challenges faced by today’s cybersecurity leaders is seemingly never-ending. Combatting those challenges requires constant analysis and vigilance, especially in the wake of new or growing trends in the cybersecurity landscape.

Such is the case with attacks motivated by sociopolitical events, as explained in War, Religion, and Politics: The New Battleground For DDoS, part of NETSCOUT’s 1H 2022 DDoS Threat Intelligence Report. Although such attacks have steadily increased over the past 20 years, data from the first half of 2022 firmly establishes the reality that cybersecurity leaders need to understand, prepare for, and expect attacks related to politics, religion, and ideology.

Geopolitics and Cybersecurity Closely Linked
The war between Russia and Ukraine stands as the most prominent example of this trend for the first half of the year. Research shows that more than 25 percent of organizations in North America and EMEA have taken a cybersecurity action in response to the ongoing Russian war against Ukraine. These actions include blocking known tactics and indicators of compromise (IOCs) used by Russian attackers, improving incident response options, and promoting security awareness for all employees.

In fact, 66 percent of organizations changed cybersecurity strategies in response to the war. And 80 percent of security professionals say geopolitics and cybersecurity are closely linked.

Our research shows a massive increase in distributed denial-of-service (DDoS) attacks against government resources, online media organizations, financial firms, hosting providers, and cryptocurrency-related firms in the days leading up to the war. As Ukrainian internet properties were moved to other countries to ensure connectivity, attackers then shifted course and targeted the countries that aided Ukraine.

For instance, cloud-based systems in Ireland became home for many Ukrainian organizations, and there followed a 200 percent increase in attacks against organizations in Ireland as a result. Primary targets were hosting, colocation, virtual-private-server (VPS), and cloud providers in Ireland. Likewise, satellite telecommunications providers in North America were more heavily targeted when they provided support for Ukraine’s communications infrastructure.

As the war progressed, attackers became more aggressive about targeting countries that made any type of public announcement about the conflict. For instance, Finland saw a triple-digit increase in DDoS attacks after announcing it would apply for NATO membership, while Taiwan and Belize experienced much greater DDoS attack volume on the days in which public statements were made in support of Ukraine. Meanwhile, India experienced a measurable increase of DDoS attacks when the government abstained from voting to condemn Russia as part of the United Nations Security Council and General Assembly.

Elections, Court Decisions, and Local Events Drive Spikes in DDoS Attacks
Many other sociopolitical events drove up DDoS activity as well. The presidential election and runoff vote in Columbia drew shockwaves of DDoS attacks. In Brazil, a massive spike of attacks occurred as Rio Carnival kicked off, and an additional spike targeting governmental and religious institutions coincided with contentious public debate over a series of court decisions in the United States.

As these examples illustrate, threat actors are using DDoS attacks that coincide with sociopolitical events around the world. Security professionals need to consider both local and international conflicts when assessing DDoS risk factors, especially as they relate to direct service delivery elements, supply-chain partners, and other dependencies.

Learn more about sociopolitical trends by reading the 1H 2022 DDoS Threat Intelligence Report.