Executive Summary

In response to Japan's call for increased participation in US-led military alliances, two pro-Russian threat actors announced a coordinated DDoS attack campaign targeting Japanese organizations on October 14, 2024 (Figure 1). The attacks mainly focused on the logistics & manufacturing sectors, as well as governmental and political organizations. Multiple non-spoofed direct-path DDoS attack vectors were utilized, primarily originating from well-known nuisance networks [4], as well as cloud provider and VPN networks [3]. At the time of this publication, the attack campaign is ongoing, and the hacktivists continue to push new targets to their DDoSia botnet.

Attack Context and Targeted Sectors

On October 11, 2024, the Ministry of Foreign Affairs of the Russian Federation (MID) published an interview expressing concern over Japan's increasing militarization, particularly its rising defense budget, development of pre-emptive strike capabilities, and involvement in US-led military exercises and joint ballistic missile-defense research and cooperation [1]. In support of these concerns, two pro-Russian threat actors - NoName057(16) and the Russian Cyber Army Team - launched a series of high-impact DDoS attacks three days later, on October 14-16, 2024. The slight delay occurred because NoName057(16) had recently been focused on attempting to disrupt the Belgian elections which took place over the previous weekend--this included more than 30 configuration updates sent with near exclusive Belgium targets for government, logistics, and election sites. This incident underscores the coordination between these two threat actors as we have observed on multiple occasions [2,3,4].

Half of the attacks targeted the Logistics & Manufacturing sector, with a particular focus on harbors and shipbuilding; this is consistent with NoName057(16)’s typical approach. The second-largest target group of attacks were directed towards government, political, and social organizations, including the political party of Japan’s newly elected prime minister [5], with the likely intention of generating significant publicity by attacking high-profile targets.

Attack Vectors

NoName057(16) has leveraged every attack capability of the DDoSia botnet, employing a wide range of direct-path attack vectors against multiple targets. As of this writing, approximately 40 targeted Japanese domains have been identified. On average, each domain is hit by three attack waves, utilizing four distinct DDoS attack vectors, utilizing approximately 30 different attack configurations to maximize attack impact.

All identified target domains were subject to at least one type of TCP packet-flooding, with TCP SYN-floods being the most prominent. Additionally, over two-thirds of the websites experienced HTTP-based attacks, further intensifying the attack campaign. Over the course of three days, we observed all new C2 server updates occurring between 07:00 and 13:00 UTC (16:00 to 22:00 in Japan, UTC+9), which corresponds to typical working hours for the Russian-aligned group.

Recent DDoS Attacks in the Larger DDoS Ecosystem

NETSCOUT observes approximately 2,000 DDoS attacks targeting Japanese networks daily.  While the recent attacks are impactful, they do not significantly impact the overall threat landscape of the region. These attacks display patterns like those observed in other regions, including the use of direct-path attack vectors and common sources, often involving nuisance networks [6], as well as legitimate cloud providers and VPNs [7]. NETSCOUT's AIF [8] effectively tracks validated DDoS attack sources and is especially effective in empowering organizations to effectively mitigate high-visibility DDoS attacks such as those observed over the course of this attack campaign.

Conclusion

ASERT observed how the Russia-aligned threat actors NoName057(16) and the Russian Cyber Army Team coordinated their efforts in attacking Japanese entities, particularly in logistics & manufacturing sectors, and governmental organizations. These recent activities do not dramatically alter the overall threat landscape. However, as DDoS attacks continue to affect organizations globally, implementing robust detection and mitigation strategies remains crucial for maintaining digital availability. NETSCOUT’s Adaptive DDoS Protection Solution [9] provides automated detection and neutralization of all types of DDoS attacks, ensuring protection for enterprises and service providers alike.

References

1. https://mid.ru/en/maps/jp/1975643/
2. https://www.netscout.com/blog/asert/moldova-faces-wave-ddos-attacks
3. https://www.netscout.com/blog/asert/south-korea-enduring-wave-geopolitical-ddos-attacks
4. https://www.netscout.com/blog/asert/ddos-attacks-spain
5. https://www.bloomberg.com/news/articles/2024-09-26/japan-s-new-prime-minister-to-be-decided-by-ldp-leadership-poll
6. https://www.netscout.com/blog/asert/nuisance-network-traffic
7. https://www.netscout.com/blog/asert/noname057-16
8. https://www.netscout.com/product/atlas-intelligence-feed
9. https://www.netscout.com/solutions/ddos-protection