Because of the coronavirus pandemic, government cybersecurity has been tested to new limits. According to the NETSCOUT Cyber Threat Horizon, the number of DDoS attacks worldwide has gone up every month for the past three months running, or since many organizations began to shift to remote work and VPN solutions.
“…the number of DDoS attacks worldwide has gone up every month for the past three months running”
And unfortunately, this steady—and steep—upswing in attacks has hit like a rising tide that has affected all industries. For example, our reporting saw 43,000 attacks being perpetrated against government organizations, just in the month of May.
Moreover, the quality of these attacks has improved, too. Almost a decade ago, DDoS attacks were seen as “effective but unsophisticated,” but that is far from true today, as the malicious actors that are perpetrating these attacks have become smarter and more complex in order to work around modern cyberdefenses that would mitigate the effect of a traditional high volume DDoS attack.
Instead, one of the trends that we’re seeing is that malicious actors are making targeted attacks in the “juicy middle” bandwidth range of 100-400 gigabits per second and knocking over less secure targets that have these lower bandwidth capacities.
This means that despite advances in our cyber infrastructures, malicious actors can still disrupt an organization, and with less volume to boot.
In this kind of threat environment, it is important that government cybersecurity professionals understand what motivates malicious actors targeting their organizations amidst this rising tide, because although government organizations are attacked for the same reasons as other large private sector organizations are, the importance and nature of their work also gives malicious actors several, unique reasons to mount an attack. The three largest include:
To be sure, just like private sector organizations, a lot of the DDoS attacks that malicious actors stage against governments are for monetary gain. If an attacker can deny a government the use of their system for any period of time and disrupt any of the processes behind legislation, military readiness, or the delivery of services to its citizens, they have the leverage they need to extort that organization for significant sums of money.
A malicious actor could also launch a DDoS attack against a government agency to “showboat.” That is, to knock over an organization’s network to show their competence and raise their profile in the hacking community, helping them generate more business.
Government organizations, however, need to anticipate additional motives that go beyond monetary gains.
By virtue of being government organizations, malicious actors with a political agenda—hacktivists—may target a specific government organization’s websites or network, expressing their political opinions by using a DDoS attack to overload a website or network’s bandwidth.
In fact, whenever you see political actions, like protests, there’s usually a cyber reflection, or an increased number of attacks perpetrated against the relevant government body.
You only need to look at the demonstrations that are happening across the country right now for an example. Late last month, the Minneapolis Police Department’s website showed signs that it had suffered a DDoS attack, and Anonymous, a hacktivist group, claimed credit and declared it had perpetrated the attack as “retribution for the death of George Floyd” instead of any monetary reward.
The ability to mount a cyberattack of any kind against U.S.-based government organizations has particular value to our peer- and near-peer competitor states because there are a whole lot of objectives that a state-backed advanced persistent threat (APT) could accomplish using the disruption of a DDoS attack.
For example, an APT group could just be using DDoS attacks as a diversion, a way to draw attention and cyberdefense resources to parts of the network while working on gaining access to sensitive information or functions elsewhere in an organization. Or, because the effects of a DDoS attack are often immediately apparent, an APT could launch one just to demonstrate their prowess and try and gain additional leverage in their overall relationship with the Untied States.
And, with less than six months before our next presidential election, we see even stronger motive for increased APT activity, as an APT could use DDoS attacks to great effect by the infrastructure that supports our electoral process.
And lastly, using a DDoS attack is anonymous. Unlike a conventional military attack, you can’t tell who is perpetrating an attack in cyberspace and whether that attacker is a state-sponsored entity, let alone which specific state is behind it.
To get more insights from Richard Hummel and his team, fill out the form below to download the NETSCOUT Threat Intelligence Report.