By Richard Hummel, ASERT Threat Research Manager, NETSCOUT
Not all world records are cause for celebration—just look at the DDoS attack numbers from 2020. For the first time in history, we observed the annual number of DDoS attacks cross the 10 million threshold, with NETSCOUT’s ATLAS Security Engineering and Response Team (ASERT) observing 10,089,687 attacks over the course of the year. That’s nearly 1.6 million more attacks than 2019’s count of 8.5 million. Regionally, the attack frequency in EMEA during 2020 was 3.71 million, with a peak volume of 586 Gbps and 7 days peak duration.
Granted, DDoS attack numbers move only in one direction—up. However, context is important when looking at DDoS statistics from 2020. From March until the end of the year, DDoS attackers operated amidst the COVID-19 pandemic. While most of the world saw an unprecedented global health crisis, malicious actors saw new vulnerabilities and opportunity. It is seldom that annual activity is so deeply affected by one event, but such is the case with 2020 DDoS attack trends. It is no coincidence that this milestone number of global attacks comes at a time when businesses have relied so heavily on online services to survive.
The start of the pandemic lockdown ushered in a “new normal” in the way we live and work, causing a seismic shift in internet usage as people increasingly moved their daily routines online. As the global workforce shifted to remote work, devices that previously sat behind enterprise firewalls and secure environments were used at home, behind typical consumer-grade routers and network devices. Attacks quickly exploited this by more than doubling the number of IoT-specific malware samples circulating in the wild, further contributing to the increase in DDoS attacks for 2020.
DDoS attack count, bandwidth, and throughput all saw significant increases between the start of the global COVID-19 pandemic and the end of the year.
For instance, attack frequency rose 20 percent year over year, but that includes the pre-pandemic months of January, February, and most of March. For the second half of 2020, which was entirely pandemic-ridden, attacks rose 22 percent year over year.
As cybercriminals quickly exploited pandemic-driven opportunities, we saw another kind of “new normal.” Monthly DDoS attacks regularly exceeded 800,000 starting in March, as the pandemic lockdown took effect. Indeed, as noted in the NETSCOUT Threat Intelligence Report 1H 2020, cybercriminals launched 929,000 DDoS attacks in May, which constitutes the single largest number of monthly attacks we’ve ever seen. And although wired and wireless broadband providers experienced the brunt of the attacks, pandemic lifeline industries such as e-commerce, online learning, and healthcare all experienced increased attention from malicious actors.
DDoS Cyber Extortion Campaign
The other notable DDoS activity of 2020 started in mid-August, as a relatively prolific threat actor initiated the Lazarus Bear Armada (LBA) global campaign of DDoS extortion attacks, a campaign that remains active as adversaries have begun retargeting original victims. The adversary cites the victim’s failure to pay the original extortion demand as the cause for renewed attacks.
Here, too, the exigencies of the pandemic likely influenced the attackers’ targets. Whereas the LBA campaign originally focused on financial services targets, the actors behind the campaign soon expanded their target area to include larger enterprises within the healthcare space, including insurers, medical testing companies, and global pharmaceutical companies. Some of these businesses were involved in COVID-19 testing and vaccine development. Although it is doubtful that the attackers aimed specifically to disrupt the work, the fact that these companies had both deep pockets and urgent deadlines made them prime targets.
Communications service providers, ISPs, large technology companies, and manufacturing also came under increased attack.
Moreover, the attackers targeted infrastructure in addition to more conventional attacks focused on internet-facing services. Here too, pandemic accommodations such as remote work played a role: the cybercriminals focused on disrupting ongoing operations within a company, such as the inbound/outbound use of VPNs and cloud-based tools by employees working from home.
As the COVID-19 pandemic extends into 2021, we can logically expect to see threat actors targeting vulnerabilities exposed by the global crisis as well as discovering and using new attack vectors that poke at the weak spots of our new normal. Indeed, these numbers only scratch the surface, and we expect to unearth new details as we conduct further research for the next NETSCOUT Threat Intelligence Report. It is imperative that defenders and security professionals remain vigilant to protect the critical infrastructure that connects and enables the modern world. NETSCOUT’s Cyber Threat Horizon gives a real-world picture of these DDoS attacks as they occur in near real-time and provides a view into the DDoS Threat Landscape.