With the 2020 Summer Olympic Games in Tokyo postponed because of the ongoing COVID-19 pandemic, people around the globe lost out on the opportunity to see records broken in amazing, athletic displays of human potential, drive, and spirit. But while the Coronavirus cost people in every corner of the planet the opportunity to see the impossible made possible in athletics – it kicked the door open for other world records – and not necessarily good ones. That’s because, according to the recent NETSCOUT 2H 2020 Threat Intelligence Report, the global response to the COVID-19 pandemic created a golden opportunity for hackers, who responded by shattering previous cybersecurity benchmarks.
Leveraging research from both NETSCOUT’s ATLAS Security Engineering and Response Team (ASERT), and the 16th annual Worldwide Infrastructure Security Report (WISR), the NETSCOUT 2H 2020 Threat Intelligence Report provides a detailed and comprehensive look at the security threats that faced organizations around the world in the second half of 2020, the trends that drove these threats and the changing cybersecurity landscape facing private companies, service providers and government agencies today. And, while it may seem cliché or even fashionable to blame any number of the world’s current woes on the ongoing COVID-19 pandemic, the latest 2H 2020 Threat Intelligence Report shows that the pandemic really did have a significant and negative impact on the cybersecurity of organizations across a number of important industries over the second half of last year. As the pandemic moved important daily activities, collaboration and operations online, it effectively created an environment where targeted DDoS attacks could have a massive impact on individuals, corporations, and government agencies.
“…the COVID-19 pandemic was the clear catalyst for this year’s unprecedented DDoS attack activity,” the report claims. “Vital pandemic industries such as ecommerce, streaming services, online learning, and healthcare all experienced increased attention from malicious actors targeting the very online services essential to remote work and online life.”
So what, exactly, did hackers do with this environment rife for interruption? They set a new standard for the number, complexity, and ferocity of DDoS attacks.
First place by a mile
According to the numbers in the NETSCOUT 2H 2020 Threat Intelligence Report, DDoS attacks increased a whopping 20 percent in 2020, and an even more staggering 22 percent in the second half of the year. Monthly DDoS attack numbers also blew away previous records – rising from their previous high of 732,000 attacks in December of 2019 to the new normal of more than 800,000 per month.
The report assigns much of the blame for that increase on the increased vulnerability of organizations as they moved essential services and operations online. But the larger increase in the second half of the year was a direct result of something even more nefarious – cyber extortion campaigns utilizing DDoS.
Cyber extortion is certainly not new. However, when people think of cyber extortion initiatives and attacks, they most likely think about ransomware – which takes control of an organization’s networks, systems, or data and holds it captive until a ransom is paid. But ransomware is no longer the only cyber extortion tool in a hacker’s arsenal. The emergence of new, more complex and more immense DDoS attacks has enabled hackers to threaten organizations with DDoS attacks against particular applications or services if they fail to pay a ransom.
The largest and most successful of these attacks in 2020 were those perpetrated by a threat actor that NETSCOUT has coined, “Lazarus Bear Armada.” The attacker received that name because, according to NETSCOUT’s Tom Bienkowski, “…when the attacker sent an extortion note to their target, to add legitimacy, they would identify themself as being from one of three well-known Advanced Persistent Threat Groups (APTs) – Lazarus Group, Fancy Bear, and Armanda Collective.”
But who were LBA and other DDoS attackers targeting?
COVID puts new companies in the crosshairs
The list of companies and organizations that are most targeted for cyberattack almost always includes companies from multiple sectors within the financial services industry. And that makes a lot of sense – malicious actors looking for a financial gain are going to target the organizations that hold and oversee a large percentage of the world’s money.
And that was no different for the LBA group. According to the Threat Intelligence Report:
“Lazarus Bear Armada (LBA) launched a global campaign of DDoS extortion attacks that took down the New Zealand stock exchange in its debut attack. From there, LBA broadened its target base considerably to include financial services and financial-adjacent entities, healthcare, communications service providers, internet service providers (ISPs), large technology companies, and manufacturing…”
But LBA comprised just a fraction of the DDoS attacks that the NETSCOUT team identified in 2H 2020. The other attacks weren’t all so focused on financial services companies. In fact, some were targeted at new targets and markets that are infrequently on the list of top attack targets at all. And much of that had to do with COVID-19 shifting the way we live and work.
With many people working from home, learning from home, and shopping from their couches, there was a massive upswing in the number of DDoS attacks that targeted telecom companies, Internet publishing and broadcasting companies, educational institutions, and even online retailers. According to the Threat Intelligence Report:
“…online shopping, which grew an impressive 44 percent in 2020, represents another pandemic stalwart that came under increased attack, as did online learning. Interestingly, this activity was seen not only at the usual hot spots of colleges and universities but also at the high school and middle school level.”
Why were these new market sectors and organizations – including middle and high schools – targeted? It may be less about malicious intent and more about laziness. As the report describes, “With DDoS-for-hire services both readily available and incredibly cheap, it seems likely that budding online delinquents set about playing hooky on an internet scale.”
Regardless of whether they were intended to extort a financial reward or ransom from their target – or just a high-tech way to skip gym class – the 2H 2020 Threat Intelligence Report from NETSCOUT is evidence that records were broken frequently and repeatedly in 2020. Unfortunately, they weren’t the kinds of records that anyone wants, and serve as another reminder that hackers are opportunistic attackers that will leverage any trend or global pandemic for personal gain.
To see even more findings from the 2H 2020 Threat Intelligence Report, click HERE to download a complimentary copy.