FSIs facing resurgence of DDoS attacks


Not so long ago considered a ‘solved problem’, last year, financial services firms faced a 22 per cent uptick in Distributed Denial of Service (DDoS) attacks targeting their systems, in many cases stemming from increased political instability worldwide, a new joint report from global financial industry cyber intelligence network, the FS-ISAC, and Akamai has revealed.

“DDoS attacks have been around for decades,” the FS-ISAC wrote in its report, “but the recent increase in both volume and intensity is a rising concern to the financial sector.”

While commonly employed by hacktivists (i.e. cyber hackers motivated by a political or social agenda), the report reveals that DDoS attacks are increasingly being utilised in extortion attacks by financially motivated actors.

Appearing to take cues from the ransomware hacks, DDoS attacks now often include a ransom note to victims demanding payment to cease the attacks – these attacks, the report adds, are also not necessarily covered by existing protections.

Further, DDoS may also be used as cover for other, potentially more damaging, cyber activities, such as infiltration of systems and exfiltration of data and malware installation.

While the report notes that standard countermeasures employed by defenders are often enough to significantly dampen the effects of a direct DDoS attack, “the distraction caused to the victim organisation can serve as a smokescreen, which makes it easier to achieve or hide other types of attacks”.

The report cited the successful targeting of banks – more than a decade ago – using the Dirt Jumper botnet, which was aided by a decoy DDoS attack.

Further, despite having limited direct impact, such DDoS attacks place extra strain on cyber-defensive teams’ limited resources.

With financial services organisations increasing dependent on cloud, as-a-service (aaS) solutions and data partners, DDoS attacks on their supply chains – that is, third- or even fourth-party providers – can also have a serious impact on FSIs’ operations and front-line services, the report noted.

DDoS is defined by FS-ISAC as a cyber-attack utilising multiple connected online devices, collectively known as a botnet, to overwhelm a target website with traffic, slowing or even disabling it all together for legitimate users.

A ‘toxic brew’

Increasing commoditisation of the DDoS technologies – with even low-skill malicious actors able to avail themselves of cheap as-a-service (aaS) DDoS solutions – combined with the ready availability of botnet infrastructure and amplification techniques, and a growing, on-call army of poorly secured IoT devices able to be “requisitioned as botnets”, has created a “toxic brew” for defenders, the report noted.

Defending organisations are not only confronting a greater volume of DDoS attacks, the report added, but an increasing intensity and speed to each stike, “requiring more resources to combat them” and “less time to mitigate”.

Peak volumes of most attacks targeted at the financial sector remain under 120 Gbps (gigabits per second); however, the FS-ISAC in 2022 reported documented attacks in the range of 700 Gbps.

“The higher the intensity, the more likely the attack will overwhelm firms’ mitigation measures.”

Further, the range of attack types has increased markedly, going well “beyond the simple volumetric clogging of internet pipes,” the report said.

“Attacks can also target hardware, DNS infrastructure, and even web servers, giving threat actors more means to achieve their ends.”

According to Akamai data, in 2010 the top five DDoS attack vectors mounted up to 90 per cent of all attacks. In 2022, the top five vectors only account for 55 per cent of all attacks.

“This indicates the threat landscape is maturing and becoming more varied, complex, and sophisticated. Some vectors dominate for a short period until mitigation measures catch up, while others stand the test of time.”

What many had regarded as “a solved problem” and largely dormant for years, according to the report, appears to have re-emerged with force over the last year. This is largely a result of increased political strife across the globe – for instance, the Russia-Ukraine war, as well as geopolitical tensions between China and Taiwan, and between the US, Israel, and Iran.

Politically motivated actors have targeted their attacks on government websites, private networks, education facilities, and critical infrastructure – including financial institutions – of entities that are directly or indirectly involved in these heated or cold conflicts.

“The continued evolution of DDoS shows that it is far from a solved problem,” said Teresa Walsh, global head of intelligence at FS-ISAC.

“Working with our sector’s critical providers like Akamai, who have first-hand knowledge of how DDoS is affecting the financial sector, enables us to arm our members with the understanding and guidance they need to better protect their firms and customers,” she said.