Warfare and Geopolitics are Fuelling Denial-of-Service Attacks
December 2023 by ENISA
The European Union Agency for Cybersecurity (ENISA)’s new report on Denial-of-Service (DoS) attacks threat landscape finds 66% of DoS attacks are politically motivated.
The analysis is based on 310 verified Denial-of-Service (DoS) incidents during the reporting period of January 2022 to August 2023. However, this total number only represents the incidents gathered from open sources.
A large-scale study is also included of publicly reported incidents. The study focuses on the motivations of attackers, their goals and the socio-political profiles of targets.
DOS attack threat landscape report 2023
Since the beginning of 2022, DoS attacks have turned into a novel and massive threat using new techniques and are fuelled by warfare motivations.
In the last few years, DoS attacks have become easier, cheaper and more aggressive than ever before. The emergence of new armed conflicts around the world acted as fuel to new waves of DoS attacks where newly formed threat actors pick and choose targets without fear of repercussions.
Objective of report:
To provide a better understanding of this type of threat by analysing the motivations and impact of the DoS attacks and raise awareness at the same time by suggesting prevention and remediation recommendations.
The research performed illustrates that most impacted sectors over the reported period covering January 2022 to August 2023 are associated with government services. These attacks stand as retaliation acts triggered by political decisions.
The report highlights that the last few years, DoS attacks have increased in number especially in the public administration and have become easier and more aggressive than before, largely due to geopolitical reasons. The current DoS threat landscape is greatly influenced by the emergence of the recent armed conflicts around the world and especially by the Russia-Ukraine War that fuelled new waves of DoS attacks where recently introduced threat actors select targets without the fear of repercussions.
The study also illustrates that while no sector is exempted from DoS attacks, the government infrastructure has become a preferred target by threat actors that often manage to be successful by causing downtime.
The most affected sector was the government administration sector, accounting for receiving 46% of attacks.
It is estimated that 66% of the attacks were motivated by political reasons or activist agendas.
Overall, 50% of the global incidents were found to be related to the Russian-Ukrainian war.
The study shows that 8% of the attacks caused total disruption in the target.
The analysis of DoS attacks’ motivations and goals is based on the new taxonomy used to classify such attacks based on information publicly available about the attacks the targets for a more systematic analysis approach.
Warfare is a key gameplayer and organisations would benefit from prevention and remediation strategies.
Reporting of DoS attacks has not reached the maturity needed to allow for the real extent and impact of such attacks.
The detection, description and analysis of DoS attacks is highly complex and different from other cybersecurity attacks. In other types of cybersecurity attacks, such as exploitation of services or even supply chain attacks, the attackers leave artefacts behind that the incident responders can find, analyse, share, confirm, verify and ultimately use for some explanation or even attribution. In the case of DoS attacks artefacts do not exist or are usually fake ones. This is part of the reasons why official databases of such attacks are difficult to be compiled.
The report sheds light on 3 types of information one must be warned against when seeking to analyse DoS incidents:
The good quality of information: paradoxically, this is the information coming from reports and claims made by the attackers themselves.
The bad quality of information: information coming from DoS protection providers that actually stopped the attacks.
The ugly quality of information: information coming from reports created by the targets.
What is a Denial-of-Service or DoS attack?
There is a wide range of difficulties when it comes to defining what a DoS attack is.
Denial-of-service attacks (DoS) are defined for this report as availability attacks in which attackers, partially or totally, obstruct the legitimate use of a target’s service by depleting or exploiting the target’s assets over a period of time.
A Distributed Denial-of-Service (DDoS) attack DDoS is a subset of DoS attacks. DoS attacks can be distributed which means that they may originate from thousands of sources from all over the world, usually relying on large-scale botnets or proxies.