DDoS Threats
Active DDoS Attack Campaigns
One of the most significant shifts in the DDoS threat landscape is the continued onslaught of attacks from DDoS hacktivist groups bombarding websites and organizations around the world. Although the focus of a lot of these groups lies in EMEA due to geopolitical turmoil, the attacks absolutely reach across the world as surrounding countries and regions become invested in network infrastructure and services in affected areas. These groups require many different responses to properly defend against them, and just as doctors use precise tools to target specific illnesses, we must apply the same level of precision to DDoS threat actors. These threat actors, whether driven by money, beliefs, or politics, are experts at causing digital chaos. By keeping a close eye on them, we’re better equipped to build up our defenses and keep our networks—and the organizations they support—safe and sound.
2023 was an exceptionally busy year for defenders as threat actors launched many DDoS attack campaigns against a variety of targets. NoName057(16) holds the top position with 780 targeted websites across 35 countries. EXECUTOR DDOS follows with 201 websites in 29 countries. Other notable groups include DDOS-V2, SYLHET GANG-SG, and the Russian Cyber Army Team. Anonymous Sudan ranks ninth, with 81 targeted websites in 17 countries.
In the second half of 2023, Anonymous Sudan was notably active in DDoS hacktivism, briefly outpacing NoName057(16) in terms of attacks. As of our latest review, NoName057(16) has regained its leading role, eclipsing all competitors. Meanwhile, Anonymous Sudan’s activity has normalized, aligning with the general levels observed among similar groups. This fluctuation highlights the ever-changing landscape of cyberthreats, reinforcing the need for constant vigilance.
Anonymous Sudan
Anonymous Sudan has made a significant impact since its emergence in 2023. This group, with its pro-Russian leanings, has been notable for its number of attacks against a variety of targets, including major messaging platforms such as X (formerly known as Twitter) and Telegram. Interestingly, these attacks were driven by specific grievances: a push to influence Elon Musk regarding Starlink service in Sudan in the case of X, and retaliation against Telegram for suspending its primary channel.
Operating with the sophistication of a well-funded organization, Anonymous Sudan has also joined forces with the Killnet hacktivist network. Anonymous Sudan’s global assaults, aligning often with Kremlin-friendly goals, strategically target high-demand services such as streaming platforms during peak usage times. Anonymous Sudan utilizes well-known DDoS attack vectors and methodologies effectively, resulting in significant impact against unprepared targets and making the group a formidable threat.
NoName057(16)
NoName057(16), a pro-Kremlin group, smashed onto the scene supporting Russia in the ongoing Russia-Ukraine conflict in early 2022. It made a name for itself with its custom malware, DDoSia, targeting NATO-aligned countries in response to perceived anti-Russia sentiments. The group’s innovative use of gamification in cyberwarfare stands out, offering digital currency rewards to encourage volunteer participation in attacks. This strategy not only increases the scale of the group’s operations but also showcases a unique way of mobilizing support in the digital sphere.
NoName057(16) leverages decentralized botnets and attacker infrastructure, predominantly utilizing public cloud and hosting services. This approach significantly reduces costs and risks. The group’s preferred attack method, HTTPS-based application-layer DDoS, bombards sites with junk HTTPS requests, causing notable disruptions, especially in Eastern and Western European nations. In response to these evolving threats, it’s imperative to adopt robust security measures.
ASERT Advice
To combat such threats, staying updated with real-time intelligence feeds is crucial. These feeds are vital, offering deep insights into DDoS tactics and sources of compromised traffic, and are an essential component of any robust DDoS mitigation strategy. They represent more than mere data; they are a critical line of defense in the constantly shifting landscape of cyberwarfare.
DDoS on the Geopolitical World Stage
The activities of groups such as NoName057(16) and Anonymous Sudan demonstrate a growing trend in DDoS attacks driven not just by lone hackers or small collectives but also by politically motivated groups. These organizations increasingly are using DDoS as a tool to target those ideologically opposed to them, executing attacks that seamlessly transcend national borders.
Protesting with DDoS Attacks
DDoS attacks tend to escalate during periods of significant political unrest. For example, in mid-December of 2023, Peru experienced a 30 percent increase in attacks over an already-inflated doubling of attacks throughout the year. This spike came on the heels of a nationwide series of protests that coincided with the release of former Peruvian President Fujimori from prison on December 6.
In Poland, the average number of observed DDoS attacks surged at the end of 2023 to nearly quadruple the country’s yearly average as it embarked on a transition of power out of the hands of the Law and Justice party, which had held power in government for the last eight years. Coupled with the regime change was a series of statements that reaffirmed Poland’s support of Ukraine in the Russia-Ukraine conflict—a perfect storm for adversaries opposing this stance.
International Conflicts Attract DDoS Attacks
Of course, it’s impossible to discuss DDoS being used in a geopolitical context without thinking of Russia and Ukraine, but more recent conflicts such as Israel and Palestine also attracted a flood of adversaries and DDoS attacks, with daily attacks increasing more than tenfold between the first and second halves of 2023. Hacker groups such as NoName057(16), Anonymous Sudan, and Killnet have all taken credit for attacks launched during this time, with primary targets including communication infrastructure, hospitals, and banks. These international conflicts stand as glaring examples of how cyberattacks, particularly DDoS, have become a commonplace method for sowing chaos during significant political turmoil regardless which side of the political spectrum an adversary happens to align with.
Russian-aligned hacker groups often claim to launch attacks to “punish” governments for sending aid to Ukraine. As they do so, they are more than willing to opportunistically co-opt local causes as well to justify their actions. For example, NoName056(16) launched a series of attacks on Spanish websites earlier this year. When explaining its actions, the attackers cited the Spanish government’s support of Ukraine, but also claimed to support a group of Spain’s firefighters that were protesting for improved benefits. Both the DDoS attack and these protests took place during an election year for Spain, demonstrating a clear willingness on the part of these hacker groups to attempt to place their thumb on the scales during election times.
ASERT Advice
Understanding the motives behind these cyberattacks is important to comprehending their full impact. With the digital battlefield constantly evolving, it becomes increasingly critical to monitor and analyze the patterns of these disruptions to anticipate future threats and protect against them.