For the first time in history, the annual number of DDoS attacks crossed the 10 million threshold, as NETSCOUT’s ATLAS Security Engineering and Response Team (ASERT) observed 10,089,687 attacks over the course of the year. That’s nearly 1.6 million more attacks than 2019’s count of 8.5 million.
From March until the end of the year, DDoS attackers operated amidst the COVID-19 pandemic. While most of the world saw an unprecedented global health crisis, malicious actors saw new vulnerabilities and opportunity. It is seldom that annual activity is so deeply affected by one event, but such is the case with 2020 DDoS attack activity and trends.
The start of the pandemic lockdown ushered in a ‘new normal’ in the way we live and work, causing a seismic shift in internet usage as people increasingly moved their lives online. As the global workforce shifted to remote work, devices that previously sat behind enterprise firewalls and secure environments were used at home, behind typical consumer-grade routers and network devices. Attacks quickly exploited this by more than doubling the number of IoT-specific malware samples circulating in the wild, further contributing to the increase in DDoS attacks for 2020.
Richard Hummel, threat intelligence lead at NETSCOUT, said, “It is no coincidence that this milestone number of global attacks comes at a time when businesses have relied so heavily on online services to survive. Threat actors have focused their efforts on targeting crucial online platforms and services such as healthcare, education, financial services and e-commerce that we all rely on in our daily lives. As the COVID-19 pandemic continues to present challenges to businesses and societies around the world, it is imperative that defenders and security professionals remain vigilant to protect the critical infrastructure that connects and enables the modern world.”
DDoS attack count, bandwidth, and throughput all saw significant increases since the start of the global COVID-19 pandemic. For instance, attack frequency rose 20% year over year, but that includes the pre-pandemic months of January, February, and most of March. For the second half of 2020, which was entirely pandemic-ridden, attacks rose 22% year over year.
As cybercriminals quickly exploited pandemic-driven opportunities, we saw another kind of ‘new normal.’ Monthly DDoS attacks regularly exceeded 800,000 starting in March, as the pandemic lockdown took effect. As noted in the NETSCOUT Threat Intelligence Report 1H 2020, cybercriminals launched 929,000 DDoS attacks in May, which constitutes the single largest number of monthly attacks we’ve ever seen. And while wired and wireless broadband providers saw the brunt of the attacks, pandemic lifeline industries such as e-commerce, online learning, and healthcare all experienced increased attention from malicious actors. For example, ASERT conducted a six-month review of worldwide education networks for DDoS activity and found a 25% increase year over year for that time period.
DDoS Cyber Extortion Campaign
The other notable DDoS activity of 2020 started in mid-August, as a relatively prolific threat actor initiated the Lazarus Bear Armada global campaign of DDoS extortion attacks, a campaign that remains active as adversaries have begun re-targeting original victims. The adversary cites the victim’s failure to pay the original extortion demand as the cause for renewed attacks.
Here, too, the exigencies of the pandemic likely influenced the attackers’ targets. While the LBA campaign originally focused on financial services targets, the actors behind the campaign soon expanded their target area to include larger enterprises within the healthcare space, including insurers, medical testing companies, and global pharmaceutical companies. Some of these businesses were involved in COVID-19 testing and the development of vaccines. While it is doubtful that the attackers aimed specifically to disrupt the work, the fact that these companies had both deep pockets and urgent deadlines made them prime targets.
Communications service providers, ISPs, large technology companies, and manufacturing also came under increased attack.
Moreover, the attackers targeted infrastructure in addition to more conventional attacks focused on internet-facing services. Here too, pandemic accommodations such as remote work played a role, as the cybercriminals focused on disrupting ongoing operations within a company, such as the inbound/outbound use of VPNs and cloud-based tools by employees working from home.