New Netscout report says botnets are “more potent than ever before”
Geopolitical tensions involving Russia and Ukraine are being reflected in cyberattacks, while botnets “continue to evolve at a frightening pace,” according to a new security report from Netscout.
Netscout, which draw the anonymized data on Dedicated Denial of Service (DDoS) attacks from its Netscout Arbor DDoS attack protection solutions that are deployed in major networks across more than 190 countries, said in the report that DDos attacks “ramped up against Ukrainian assets just prior to and after Russia launched ground troops. Then we see a decline in attacks against Ukrainian assets as infrastructure is destroyed or moved out of Ukraine; meanwhile, there’s a significant increase in attacks against Ireland, where much of those Ukrainian assets were moved. Likewise, we see a surge of retaliatory attacks against Russia—attacks that go all the way back to 2021 beginning with national elections and early discussions of invading Ukraine. Finally, the trend line shows a massive increase in attacks against Finland after that country’s announcement that it would join NATO.”
Finland saw a nearly 260% increase in DDoS attacks year-over-year, Netscout said. Meanwhile, since the beginning of the conflict with Ukraine, Russia has been seeing a new 3X increase in the number of daily DDoS attacks. Taiwan saw DDoS attacks that coincided with public events related to tensions with China and Hong Kong, the report added. While DDoS attacks in North America stayed “relatively consistent,” Netscout also said that satellite telecommunications providers “experienced an increase in high-impact DDoS attacks, especially after providing support for Ukraine’s communications infrastructure.”
“Taken as a whole, there’s no question that attack frequency is closely tied to sociopolitical events on the world stage,” the report concludes, going on to add that in addition to those specific countries, “many other countries experienced surges in DDoS attacks from ongoing military conflict, political events, and even entertainment events taking place around the world.”
The report found that overall, DDoS attacks were down slightly—about 2%—from the second half of 2021. However, the maximum bandwidth of attacks was up nearly 60% to 957.9 Gbps.
Some of those DDoS attacks are botnet-fueled, taking advantage, increasingly, not only of consumer devices with lax security but also routers and servers used in enterprise networks. The original Mirai source code, responsible for some of the most well-known botnet attacks, “has continued to evolve [and] … is used not only to target IoT devices but also to attack vulnerabilities in a wide range of other devices, including cable modems and enterprise-grade routers and servers,” Netscout said.
The company also said that malware botnet proliferation “grew at an alarming rate” between the first and second quarter of this year, growing from 21,226 nodes tracked to 488,381 nodes and resulting in more “direct-path, application-layer attacks.”
The company also found that there has been “an uptick in adversaries using DDoS-for-hire providers as part of a triple threat” that involves exfiltrating data, using ransomware to lock a target out of its own access to the same data and then applying DDoS attacks “in hopes of receiving cryptocurrency payouts—meanwhile wreaking havoc on the organization’s networks and reputation.” Those types of attacks in particular are botnet-driven, the report said.
The company highlighted several botnets, including one dubbed “Killnet”, which it said is run by a pro-Russion DDoS-for-hire group and appears to be “largely … geopolitically motivated, with a list of attack targets that include the U.S. federal government, as well as Ukrainian and Lithuanian organizations that take opposing viewpoints.”
“By constantly innovating and adapting, attackers are designing new, more effective DDoS attack vectors or doubling down on existing effective methodologies,” said Richard Hummel, threat intelligence lead at Netscout. He said that among other things, in the first half of this year, attackers “conducted more pre-attack reconnaissance” and also “rapidly expanded high-powered botnets to plague network-connected resources.
“In addition, bad actors have openly embraced online aggression with high-profile DDoS attack campaigns related to geopolitical unrest, which have had global implications,” Hummel added.