Pro-Palestinian Actor Levels 6-Day DDoS Attack on UAE Bank

A distributed denial-of-service (DDoS) attack targeting a financial institution in the United Arab Emirates set records for the duration of the cyberattack and the sustained volume of requests.

The attack — attributed to pro-Palestinian hacktivist group BlackMeta, also known as DarkMeta — lasted six days and included multiple waves of Web requests lasting anywhere from four to 20 hours, targeting the financial institution's site. Overall, it lasted more than 100 hours in total, averaging 4.5 million requests per second, cybersecurity firm Radware stated in an advisory published this week.

The DDoS attack represents a significant departure from the standard hacktivist denial-of-service attacks, says Pascal Geenens, director of threat intelligence for Radware.

"Those attacks were lasting between 60 seconds and five minutes — they came, they hit hard, and they go away after one to five minutes," he says. "Now, in the case of this attack, the campaign in total lasted six days, and in those six days, 70% of the time, that customer was being targeted by an average of 4.5 million requests."

BlackMeta, also known as SN_BlackMeta, appeared in November 2023 and has a history of claiming responsibility for attacks against organizations in Israel, the United Arab Emirates, and the United States. In May, the group claimed responsibility for a multiday denial-of-service attack on the San Francisco-based Internet Archive. In April, the group claimed to have attacked the Israel-based infrastructure of the Orange Group, a French provider of telecommunication services in Europe, the Middle East, and Africa. The group also targeted organizations in Saudi Arabia, Canada, and the United Arab Emirates.

DDoS Attacks for $500 a Month

The BlackMeta group announced its intent to attack the financial institution on Telegram in the days leading up to the operation. The cyberattack inundated the financial firm's website with requests, causing the share of legitimate requests to plummet to as low as 0.002%, with an average of 0.12%. The attacks continued for 70% of the time during the six-day period.

Bandwidth captures showing the attack over six days. Source: Radware

The attackers used a cybercrime service known as InfraShutdown, which allows attackers to target sites for $500 to $625 a week, according to Radware's advisory.

BlackMeta is primarily motivated by a pro-Palestinian ideology, but similar to Anonymous Sudan, has an anti-Western stance, and appears to have links with Russia, and uses Arabic, English, and Russian in its posts, Radware stated.

"The group positions its attacks as retribution for perceived injustices against Palestinians and Muslims," the company stated. "Their targets typically include critical infrastructure such as banking systems, telecommunication services, government websites and major tech companies, all reflecting a strategy to disrupt entities viewed as complicit in or supportive of their adversaries."

Profiting from DDoS Service?

BlackMeta is likely a rebrand of Anonymous Sudan, a group that made a name for itself last year attacking targets along with the loose-knit pro-Russian Killnet group, according to the researchers. Anonymous Sudan targeted Israeli organizations and the encrypted messaging service Telegram in 2023. Comparing the number of claimed attacks by month over the past year and a half shows Anonymous Sudan's activity dwindling at the same time that BlackMeta's was ramping up.

Anonymous Sudan advertised its InfraShutdown DDoS attack service during previous attacks, urging other would-be attackers to sign up, which means the group is likely financially benefiting from its "hacktivism."

"If the actors behind [BlackMeta] are in any way related to or support Anonymous Sudan, the premium InfraShutdown service is highly likely to be the origin of the 14.7 million [requests-per-second], 100-hour attack campaign," Radware stated in its advisory

Rate-limiting the bandwidth during such attacks is not a solution to sustained application-layer attacks, because a company would have to be able to differentiate between the 1.5 billion legitimate requests reaching the website over a six-day period, and the 1.25 trillion malicious requests targeting the site, Geenens says.

"With the attacks going to Layer 7 — the application layer — the problem has shifted," he says. "Before we were at the network level, you could use a firewall, but that is too much processing power, so we moved to network protection. But when you move one layer up [to Layer 7], they can target specific pages and randomize the queries that they put in, so they make it look like legitimate posts."