Cybercriminals are continuing to exploit the ongoing crisis in Ukraine. After initial report of increased malicious and scam activity, the Russian invasion in Ukraine led to the largest-ever spike in DDoS attacks. Compared to the first quarter of 2021, the number of DDoS attacks in the first quarter of 2022 increased 4.5 times, with a considerable number of attacks likely to be the result of hacktivism. DDoS attacks also showed an unprecedented duration—especially those targeting government resources and banks, according to a report issued by Kaspersky™.
DDoS attacks were at an all-time high in Q1 2022
DDoS attacks are designed to disrupt network resources used by companies and organizations to prevent them from functioning properly. These attacks become even more dangerous if the compromised systems are part of the government or financial sectors, as blocking these services has knock-on effects on the wider population.
The first quarter of 2022 saw a sharp increase in attacks at the end of February as a result of the crisis in Ukraine.
Compared to data from the fourth quarter of 2021, which saw the highest number of DDoS attacks ever detected by Kaspersky™, the first quarter of 2022 showed a 46% increase in the total number of DDoS attacks. The amount of “smart” or advanced and targeted attacks for Q1 2022 also marked a notable increase: Up 81% compared to the Q4 2021 record.
Attacks were not only large-scale, but also innovative. Examples include a website that mimics the popular puzzle game “2048” to gamify DDoS attacks on Russian websites, and a call that aims to build an army of IT volunteers to facilitate cyberattacks. Further investigation by Kaspersky™ revealed that a current, average DDoS session lasts 80 times longer than the average DDoS attack noted in Q1 2021. The longest attack was detected on March 29th, 2022, lasting an atypically long 177 hours.
Cybercriminals are targeting Ukraine and its Allies
Ukraine’s Computer Emergency Response Team (CERT-UA) recently announced that it is investigating ongoing DDoS attacks targeting pro-Ukraine sites and the government web portal, with the help of the National Bank of Ukraine (CSIRT-NBU). The investigation indicated that the attacks originated from compromised websites, with most of them using WordPress CMS. Furthermore, it has been established that threat actors have planted malicious JavaScript code in the web pages of the sites to prompt malicious traffic to certain static URLs in the JavaScript code—tracked as BrownFlood.
CERT-UA released this statement: “The government team for responding to computer emergencies in Ukraine CERT-UA in close cooperation with the National Bank of Ukraine (CSIRT-NBU) has taken measures to investigate DDoS attacks, for which attackers place malicious JavaScript code (BrownFlood) in the structure of the web pages and files of compromised websites (mostly under WordPress), as a result of which the computing resources of computers of visitors to such websites are used to generate an abnormal number of requests to attack objects, URLs of which are statically defined in malicious JavaScript code.”
In early April, the Czech National Cyber and Information Security Agency (NCISA) announced that several Czech websites have been under severe DDoS attacks. These websites include Czech railways, the Karlovy Vary and Pardubice airports as well as the public administration portal, which was not operational for several days. Finnish foreign affairs and defense ministry websites were also hit by cyberattacks. One of the largest attacks, however, targeted Romania.
On April 29th, 2022, government websites in Romania were crippled by a DDoS attack carried out by Killnet—a Russia-supporting cybercrime group. This was confirmed by the Romanian National Cyber Security Directorate in a statement.
Attackers targeted the websites of Romania’s government, its ministry of defense, its border police, a national railway transport company, and a Romanian commercial bank. The aim was to disable these online services by overloading the sites with large volumes of traffic from multiple sources.
The attack was claimed by Killnet on a Telegram channel, and the attackers justified it on the grounds that Romania is supporting Ukraine in the military conflict with Russia. The pro-Russian group recently launched DDoS attacks on the sites of institutions in USA, Estonia, Poland, and the Czech Republic, as well as on NATO websites.
The Romanian Intelligence Service published this announcement: “Following the investigations carried out by the CYBERINT National Center within the Romanian Intelligence Service, it was established that the cyberattackers used network equipment from outside Romania. The attackers took control of the equipment in question by exploiting cybersecurity vulnerabilities, respectively the lack of cybersecurity measures, and used them as a vector of attack on sites in Romania.”
Since the war started, several cybercrime groups have pledged to support the Russian government, and threatened to launch cyberattacks against countries helping Ukraine. Although some cybercrime groups may initiate attacks in support of the Russian government, security experts state that cybercriminals will most likely continue to operate primarily based on financial motivation.
