Geopolitical Unrest Drives DDoS Activity

Service providers are on the front lines of geopolitical unrest and sociopolitically motivated DDoS attacks.

Geographical black background with blue

As detailed in NETSCOUT’s 2H 2021 Threat Intelligence Report, most geographical regions experienced decreases in attacks during the second half of 2021. But a notable exception to this rule was the Asia Pacific (APAC) region, which accounted for more than 1.2 million attacks during that timeframe—a 7 percent increase from 2H 2020. Geopolitical tensions between China, Hong Kong, and Taiwan—as well as hostility against countries that support democratic governments in the APAC region—were almost certainly to blame. 

As we approach the end of 2022, the Russian-Ukrainian conflict is still happening. Back in February of this year, the NETSCOUT ATLAS Security Engineering and Response Team (ASERT) began actively monitoring distributed denial-of-service (DDoS) attacks targeting both Ukrainian and Russian assets.

DDoS attacks often are forms of geopolitical protest and waged to impact governments and vital organizations around the world. In all these cases, DDoS attacks must transit across multiple internet service provider (ISP) backbones to reach the intended victim from the often globally dispersed botnets and other compromised hosts from which they originate. Even an attack that is effectively mitigated will use up valuable resources on any ISP network it reaches. It is, therefore, in every ISP’s self-interest to not only detect and mitigate attacks as close to the source as possible but also to suppress DDoS attacks before they can begin.

Comprehensive Defenses for Volumetric, Application-layer, and State Exhaustion Attacks

Many organizations will be affected when these attacks occur because they don’t just target a single victim, and ISPs will most certainly be on the front lines.

Nation-state actors often directly target internet infrastructure in order to take out critical communications, ecommerce, and other vital infrastructure dependent on internet connectivity. This, of course, means targeting ISP networks to hobble internet connectivity. Further, nation-states typically have vastly more resources at their disposal than other malicious actors. They constantly innovate and explore new and more powerful DDoS attack vectors, evidenced by the creation of new ones every year. As DDoS defenses become more precise and effective, attackers continue to find ways to bypass those defenses with new DDoS attack vectors and methodologies. These advanced techniques invariably find their way into the hands of criminal gangs and even individual hackers who turn them against any entity from whom they can profit.

Due to the increased tenacity of cybercriminals and the growth in complexity of DDoS attacks, the foundation for a comprehensive DDoS protection solution should identify and stop all types of DDoS attacks and other cyberthreats before they impact the availability of business-critical services. 

DDoS Attacks Grow in Response to Sociopolitical Events 

While DDoS attacks have steadily increased over the past 20 years, recent data firmly establishes the reality that network operators need to understand, prepare for, and expect attacks related to politics, religion, and ideology.

The war between Russia and Ukraine stands as the most prominent recent example of this trend. Research shows that more than 25 percent of organizations in North America and EMEA have taken a cybersecurity action in response to the ongoing Russian war against Ukraine. These actions include blocking known tactics and indicators of compromise (IOCs) used by Russian attackers, improving incident response options, and promoting security awareness for all employees.

In fact, 66 percent of organizations changed cybersecurity strategies in response to the war. And 80 percent of security professionals say geopolitics and cybersecurity are closely linked.
 
Our research shows a massive increase in DDoS attacks against government resources, online media organizations, financial firms, hosting providers, and cryptocurrency-related firms in the days leading up to the war. As Ukrainian internet properties were moved to other countries to ensure connectivity, attackers then shifted course and targeted the countries that aided Ukraine.

For instance, cloud-based systems in Ireland became home for many Ukrainian organizations, and there followed a 200 percent increase in attacks against organizations in Ireland as a result. Likewise, satellite telecommunications providers in North America were more heavily targeted when they provided support for Ukraine’s communications infrastructure.

Finland saw a triple-digit increase in DDoS attacks after announcing it would apply for NATO membership, while Taiwan and Belize experienced much greater DDoS attack volumes on the days in which public statements were made in support of Ukraine. Meanwhile, India experienced a measurable increase in DDoS attacks when the government abstained from voting to condemn Russia as part of the United Nations Security Council and General Assembly.

The presidential election in Columbia drew shockwaves of DDoS attacks. In Brazil, a massive spike of attacks occurred as Rio Carnival kicked off, and an additional spike targeting governmental and religious institutions coincided with contentious public debate over a series of court decisions in the United States.
 
With today’s growing frequency and complexity of DDoS attacks, a multilayer defense strategy is now a requirement. New techniques such as adaptive DDoS, which changes vectors based on the defense that is presented, reinforce the need for attack management agility and efficiency. Threat actors are using DDoS attacks that coincide with sociopolitical events around the world. Security professionals need to consider both local and international conflicts when assessing DDoS risk factors.

Learn more about sociopolitical and other trends at NETSCOUT’s DDoS Threat Analysis and Intelligence Hub.