Ukraine, Gaza Wars Inspire DDoS Surge Against Finservs

Financial services organizations have faced nearly twice as many distributed denial of service (DDoS) attacks this year as any other industry, thanks in part to a rise in hacktivism.

According to a new report from Akamai, between Jan. 1 and June 30, there were nearly 3,000 Layer 3 and 4 DDoS attack events in the financial services sector (Layer 3 and 4 attacks occur at the network and transport layers of Internet communication). The next most-targeted industries — gaming, then high tech, then manufacturing — suffered around 1,000 to 1,500 events each.

A number of factors contribute to the sheer scale of the threat, experts say, including a general rise in DDoS across the board, a surge in hacktivist activity in association with high-profile geopolitical conflicts, emerging threats to application programming interfaces (APIs), and more.

And at the end of the day, it's just easy. "They don't have to find a vulnerability. They don't have to find that gap in your armor. They can just literally sit there and hit a button," says Richard Hummel, director of threat intelligence for Netscout.

Hacktivism Drives DDoS

On July 15, beginning at 10:05 a.m. local time, the full weight of a globally distributed botnet was turned against a major financial services company in Israel.

The vectors of attack were numerous: UDP flooding, UDP fragmentation, DNS reflection, PUSH and ACK floods, and more. At its peak, the flood of data registered at 789GB per second — equivalent to millions of documents, or hundreds of thousands of photos, streaming in with each passing moment.

The peak of the event lasted until around 1 p.m. local time, but activity persisted for around 24 hours. "This attack was very exceptional in terms of total duration," Akamai researchers wrote, after helping abate the attack. "This requires significant resources and is an indication of a very sophisticated aggressor."

Remarkably, despite that aggressor dedicating so much power to one attack, a number of other Israeli financial institutions experienced outages that same day, in what researchers assessed was likely a politically motivated campaign.

It wasn't the only politically motivated DDoS campaign that happened around this time, nor was it the worst. Those Israeli companies might have considered themselves lucky compared to a UAE bank, whose website was attacked by the pro-Palestinian group BlackMeta (aka DarkMeta). In a six-day romp, the group sent 10 waves of Web requests lasting between four and 20 hours each, averaging 4.5 million per second and peaking at 14.7 million.

DDoS has surged in correlation with the wars in Gaza and Ukraine, Akamai says, particularly against European banks with connections to Ukraine. Even if a financial institution doesn't consider itself political in any way, they nonetheless serve as a useful punching bag for hackers to achieve their dogmatic goals.

Why Hacktivists Target Finserv

Being so central to, and interconnected with, wider society, attacks against finance tend to cause more harm and panic than those against other industries.

Plus, more so than in the US, "in European countries or Asian countries, oftentimes government and finance go hand-in-hand, so you will often see that adversaries will walk the stack of what they perceive as government-affiliated," Hummel explains.

As an example, he points to Moldova, a country with manifold conflicts with Russia. "Moldova has been hammered over and over for the past six, seven months now by NoName057 and various other groups. They started with government targets, but then they started looking at finance, at commercial banking, education, public transportation. It's a natural extension."

And as if DDoS weren't already easy enough, in Europe, it's become easier in recent years thanks to Payment Services Directive 2 (PSD2), which came into effect in January 2016. Among other things, the European Union (EU) directive required that financial services providers offer open APIs to third-party services.

PSD2 was designed to better integrate the EU payments market but, Akamai points out, it also widened the surface through which attackers could attack affected companies. APIs offer yet another opening for more sophisticated, application-layer DDoS attacks, particularly when they're poorly accounted for.

"What we're finding is that many financial institutions don't know the expanse of their API ecosystem," says Cheryl Chiodi, industry strategy manager for financial services at Akamai. "There could be developers that were working on a project and left what we call a 'rogue' API, or 'shadow' APIs that are connected to the network but aren't really doing anything. And the cybercriminal can find those entry points and use them to do their infiltration of the network."

In its report, Akamai noted "sharp increases" in DDoS attacks targeting APIs. For this reason, Chiodi urges financial services companies to perform API discovery. "That then opens up the aperture, the visibility, so that you know what the API ecosystem [in your organization] is in the first place," she says.