Europe, Middle East, and Africa
The largest—and arguably the most diverse—region that we examined is Europe, the Middle East, and Africa (EMEA), which is made up of 128 countries and territories. Spanning both the northern and southern hemispheres, EMEA is populated with people of vastly different economies and cultures, and in 2022, the region experienced significant geopolitical conflict. Unsurprisingly, those world events spilled into cyberspace, altering the DDoS attack landscape in 1H 2022.
This was evidenced in several ways. DDoS attack volume was significantly higher by the end of June when compared with 2H 2021. On average over 30 days, the number of attacks per day grew by more than 7 percent between January 1 and June 30. Perhaps predictably, the number of attacks targeting Russia nearly tripled by March and remained more than two times greater through June. Attacks targeting resources within Ukraine increased by 15 percent by March, but then quickly decreased below levels recorded at the beginning of the year, a pattern that is at least partly explained by reports that some Ukrainian targets were moved to other provider networks and geographic locations.
Several other countries also experienced an increase or unusual spikes in attacks in 1H 2022, including Saudi Arabia (51 percent), South Africa (41 percent), Finland (249 percent), and Ireland (200 percent). The dramatic increase in attacks on Finland is most likely attributable to the country’s move toward NATO membership. The increase in attacks against Ireland is likely attributable to Ukrainian resources that shifted out of country and into cloud-based systems located in Ireland. Several other countries also saw a decline in attacks, including Portugal (59 percent), Sweden (49 percent), and Romania (30 percent).
Key Findings
-
1
DDoS attacks altered the entire regional cyberspace as a result of ongoing conflict between Russia and Ukraine.
-
2
Geopolitical influence and infrastructure offloading resulted in attacks spilling into neighboring countries.
-
3
A global trend in more TCP-based attacks was clearly evident in EMEA, with TCP ACK floods eclipsing any other DDoS attack vector in the first half of the year.
EMEA Data was drawn from…
By The Numbers
Attack Count
Vector Analysis
The top vectors in EMEA were largely consistent with the global trend and adversary preference for TCP-based attacks. However, the divide between TCP and DNS (or other UDP-based vectors) stands out quite starkly, given there are nearly twice as many TCP ACK floods as DNS amplification. At the end of Q1 2021, both of these vectors were nearly equal, and the change highlights the rapid descent of DNS amplification as a primary vector.
Country Analysis
Finland and Ireland—which ranked as two of the most targeted countries in the region—experienced a correlated pattern of attack volume that began in early February, about a month earlier than the attack increases seen against Russia and Ukraine. Although attacks against Finland started trailing off in June, the volume of attacks remained largely steady for both countries during the majority of 1H 2022, with Finland averaging 467 attacks per day (an increase of 443 percent from 2H 2021) and Ireland averaging 284 attacks per day (an increase of 118 percent from 2H 2021). Attacks targeting South Africa started picking up in May and continued to increase through the end of June, netting an average of 632 attacks per day (an increase of 17 percent from 2H 2021).
Meanwhile, Great Britain—which almost always tops the charts in attack volume for the region—experienced somewhat of a respite from that dubious honor, with the average daily attack count decreasing to 743 attacks per day (19 percent) from 2H 2021.
Russia / Ukraine
As previously noted, Russia and Ukraine saw unusual attack volumes in 1H 2022. For instance, attacks targeting Russian internet resources grew rapidly in March (275 percent), as shown in Figure XX. Another way we evaluated this change is comparing monthly attack volumes by country. We looked at March alone and then at the entire six months as compared with similar countries, and Russia came out on top in both scenarios, an obvious point when looking at the EMEA: Russia Region Daily Attacks chart below.
Although there was an initial uptick in attacks against Ukrainian internet properties in March (24 percent over the prior month), attack volume eventually fell below pre-March levels and was down more than 40 percent by the end of June when compared with January, as shown in the EMEA: Top – Country Daily Attacks chart below. This likely is attributable to the migration of Ukrainian internet resources from Ukraine-based autonomous system numbers (ASNs) and assigned IP-address spaces to other network providers and countries. However, it may also reflect destruction and unavailability of Ukraine ASN/IP address resources. Nevertheless, much of the country, apart from the southern and eastern regions, remained online with only brief disruptions.
Industry Spotlights
As we have historically noted, attacks against network services and related industries are the preferred target for adversaries. However, a few interesting trends emerged in 1H 2022.
WIRELESS TELECOMMUNICATIONS CARRIERS
The number of attacks targeting wireless telecommunications carriers (except satellite) increased by nearly 75 percent over the period, continuing a steadfast upward momentum around the world.
ALL OTHER TELECOMMUNICATIONS
However, the one vertical that exceeded any other in the upper reaches of targeting was that of all other telecommunications, a vertical hierarchy that includes many dial-up and customer-supplied internet connections. This sector also includes VoIP service providers and satellite telemetry/tracking services. Given ongoing geopolitical tensions, it comes as no surprise that we observed a massive 302 percent increase in attacks on this sector.
ELECTRONIC SHOPPING
In a move that tracks with the rest of the world, we continue to see electronic shopping and internet publishing and broadcasting (entertainment and web conferencing) sectors targeted less at the tail end of the COVID-19 pandemic.
Note: Industry data and attack counts are based on a sampling of our data and aligned to the North American Industry Code database, which often includes limited labeling in other regions.