In Q3 2022, DDoS attacks were, more often than not, it seemed, politically motivated. As before, most news was focused on the conflict between Russia and Ukraine, but other high-profile events also affected the DDoS landscape this quarter.
The pro-Russian group Killnet, active since January 2022, took the responsibility for several more cyberattacks. According to the hacktivists themselves, more than 200 websites in Estonia fell victim to their attacks, including the ESTO AS payment system. In nearby Lithuania, the websites and e-services of the energy company Ignitis Group were hit. Both attacks were described by the affected organizations as the largest they’ve faced in the last 10–15 years.
Killnet also claimed responsibility for an attack on the website and services of the US Electronic Federal Tax Payment System. The attackers stated on Telegram that they were “testing a new DDoS method.” During the attack, they said, the site administration tried to change the DDoS protection vendor, but then had a rethink. In addition, Killnet disrupted the US Congress website for a couple of hours.
On the other side of the Pacific, in Japan, 20 websites of four different government departments were hit by DDoS attacks. Killnet hacktivists claimed involvement in this incident, too. The defending side managed to eliminate the main damage within 24 hours, although the e-Gov administrative portal continued to experience access problems the day after.
The lesser known pro-Russian group Noname057(16) took the credit for the attacks on the website of Finland’s parliament and the publication archive of its government, which they managed to take offline temporarily. If the group’s Telegram channel is to be believed, the reason for the attacks was because “[Finnish] officials are so eager to join NATO.”
In turn, Russian resources suffered from DDoS attacks by pro-Ukrainian hacktivists. Victims included the Unistream, Korona Pay, and Mir payment systems, as well as the Russian National Payment Card System, which ensures the operation of Mir and the Faster Payments System. What’s more, activists brought down the website, call center, and SMS provider of Gazprombank; Otkritie Bank noted disruptions to its internet banking service and mobile app, and SberBank reported 450 repelled DDoS attacks in the first two months of Q3. According to SberBank, this is the same number as in the previous five years put together.
Electronic document management systems, in particular SKB Kontur and Taxcom, were also in the firing line. Their websites were either down or slow, which caused supply troubles for dairy producers. The websites of the political parties United Russia, Young Guard of United Russia, and A Just Russia — For Truth.
Media outlets did not go unaddressed either: RIA Novosti and Sputnik suffered attacks that lasted almost 24 hours, while the website of Argumenti i Fakti was unavailable for some time. Meanwhile, StormWall reported that 70 regional newspapers in 14 Russian cities, among them Bryansk, Kaluga, Chelyabinsk, Pskov, Omsk, Tyumen, and Sochi, were hit by garbage traffic.
A wave of DDoS attacks swept across many tech and entertainment companies as well. Hacktivists attacked around 20 Russian video-conferencing platforms. Among the services affected were TrueConf, Videomost, Webinar.ru, and iMind. Also targeted were the websites of Kinomax, Mori Cinema, Luxor, Almaz Cinema, and other movie theaters. Hacktivists also tried to disable the websites of the car information portal Drom, the drone store MyDrone, and the security vendor Avangard.
Already in Q1, various sites and apps were available to allow technically inexperienced users who sympathize with Ukraine to join DDoS attacks against Russian resources. The Russian-speaking APT group Turla exploited the hype. In July, Google researchers reported a piece of Android malware being distributed by cybercriminals under the guise of a DDoS tool for attacking Russian websites. According to experts, this is Turla’s first ever malware for Android.
Besides the Russia–Ukraine conflict, there were reports of politically motivated DDoS attacks in other hot spots on the planet. US Congress Speaker Nancy Pelosi’s visit to Taiwan provoked not only a public outcry in mainland China, but also a string of cyberattacks both before her arrival on the island and in the hours immediately after. In particular, the websites of Taiwan’s president and its Ministry of National Defense experienced downtime. Also affected were the online resources of the Ministry of Foreign Affairs and Taoyuan International Airport.
Israel, too, became a DDoS target when cybercriminals attacked the websites of the country’s Ministry of Health and Tel Aviv-Yafo Municipality. As a result, access to these resources from abroad was limited. Responsibility for the cyberattacks was claimed by Al-Tahira (aka ALtahrea), a group opposed to NATO and its allies.
The post-Soviet space was also a hotbed of activity. Amid the escalating conflict between Armenia and Azerbaijan, a DDoS attack battered the official site of the Collective Security Treaty Organization (CSTO), a Russia-led military alliance in Eurasia. The CSTO reported that attackers, under the guise of a DDoS, had attempted to change some information on its website. And in the last third of September, the Kazakhstani segment of the internet faced a DDoS onslaught from abroad. At around the same time, local media (Top Press, New Times, Skif News) were also subjected to DDoS attacks.
Some events in Q3 could not be described as unambiguously political. For example, the company Russian Environmental Operator reported DDoS attacks on the new Secondary Material Resources Exchange immediately after the announcement of the platform’s launch. Although this may have been part of a hacktivist campaign, new online resources regularly face DDoS attacks before going live even during quiet times. The largest Russian-language torrent tracker RuTracker and the entertainment portal Live62 also admitted to being attacked in Q3. Both sites have been beset by copyright infringement claims, and RuTracker has been blocked in Russia as a pirate resource.
In addition, a number of firms specializing in DDoS protection reported major attacks in Q3.
Akamai announced two major attacks on the same client from Eastern Europe. In both cases, the number of packets per second sent by the attackers was extraordinary. The first attack, on July 21, peaked at 659.6 million packets per second, a new European record at the time, says Akamai. This was not an isolated case: in July, this same client was attacked more than 70 times. The record held until September 12, when another attack posted 704.8 million packets per second.
In continuation of a Q2 trend, Google says it blocked an HTTPS-based DDoS attack that peaked at 46 million requests per second, 77 percent more than the record-breaking HTTPS attack mentioned in our previous report. According to experts, the attack involved more than 5,000 IP addresses from 132 countries, with around 30 percent of the traffic coming from Brazil, India, Russia, and Indonesia. The geographical distribution and botnet characteristics suggest the use of the Mēris family.
Lumen reported stopping an attack with a capacity of over 1 terabyte per second on the servers of its client. At the time of the attack, the target servers were hosting a gaming service. In the week leading up to the incident, the attackers tested various DDoS methods and studied the victim’s protection capabilities by issuing commands to bots from three different C2 servers.
Gaming services are regularly targeted by DDoS. In Q3, the servers of Gaijin Entertainment, which developed War Thunder, Enlisted, and Crossout, were hit by an extended series of attacks. They began on September 24, and users were still complaining of disruptions at the time of writing. To reduce the negative effect of the DDoS attack, Gaijin promised to extend its promotions and premium subscriptions, as well as award bonuses to players for a whole week.
The North American data centers of Final Fantasy 14 were attacked in early August. Players experienced connection, login, and data-sharing issues. Blizzard’s multiplayer games — Call of Duty, World of Warcraft, Overwatch, Hearthstone, and Diablo: Immortal — were also DDoSed yet again.
An ESL eSports match between the teams NaVi and Heroic was held up for over an hour due to a DDoS attack on individual players. The match continued only after the organizer had dealt with the threat.
In turn, the developers of the game Tanki Online announced they had finally neutralized a string of DDoS attacks that had plagued players since the summer. Having beefed up protection and stabilized the servers, the organizers thanked the players for their patience with a prize giveaway.
That was not the only good news regarding DDoS attacks on gaming services this quarter: in Sweden, police detained a suspect in a DDoS attack on Esportal, a CS:GO tournament platform. If convicted, they face from six months to six years in prison.
Anti-DDoS measures are also being implemented at the national level. For instance, Israel announced the launch of the Cyber-Dome project, designed to secure national digital resources. According to the Israel National Cyber Directorate, having a single protective complex will “elevate national cybersecurity by implementing new mechanisms in the national cyber perimeter and reducing the harm from cyberattacks at scale.”
In Bangladesh, the governmental Computer Incident Response Team required all key organizations, including those responsible for the country’s IT infrastructure, to develop and introduce anti-DDoS measures. This came after a reported spike in attacks.
At the same time, the global legal consensus that any DDoS attack constitutes a cybercrime came under threat in Q3, and from an unexpected source. The Hungarian Cable Communications Association (MKSZ) requested that the law be changed to officially allow MKSZ members and legal enterprises from the telecom industry to carry out DDoS attacks as a means of combating IPTV piracy. Traditional measures, such as blocking IP addresses and domain names, MKSZ described as slow and ineffective, while legally sanctioned cyberattacks could genuinely force users to abandon pirate services. SecureList