Over the past few years, politically motivated threat actors have increasingly gone online to find allies for their causes. While ten years ago most hactivism like this was anonymous, modern actors favoring certain political elements or governments leverage a broader ecosystem. Since Distributed Denial of Service (DDoS) attacks require little technical skill, they offer a low barrier to entry for people who want to help a cause despite being located outside of the impacted geographics region.
As the geopolitical landscape continues to evolve, understanding how groups crowdsource DDoS attacks to enhance impact gives organizations a way to protect themselves more effectively.
To learn more, check out our full report Crowdsourced DDoS Attacks Amid Geopolitical Events or keep reading for the highlights.
What is a Distributed Denial of Service (DDoS) attack?
In a DDoS attack, threat actors flood a target server with excessive internet traffic. In response, the server is unable to send responses, meaning that the application or network no longer works as intended.
Although these attacks are neither sophisticated nor new, they have a greater impact on businesses and customers in a digitally transformed world. Today, a DDoS attack can take down everything from patient and physician portals to government services. Increasingly, governments recognize the impact that these attacks have, as evidenced by the Latvian government designating the “Killnet” group a terrorist organization.
Some recent examples that show the impact DDoS attack can have on critical services include:
- 5000 Kenyan government services being offline for a week, including passport renewal and train booking systems
- Canada’s Border Services Agency experiencing physical delays at checkpoint
- Microsoft Outlook and Azure going offline in June 2023
What it Means to “Crowdsource a DDoS”
Hacktivist groups use dark web forums and public Telegram channels to find people sympathetic to their causes the same way average citizens use a platform like GoFundMe. By making their needs public, hacktivists can get other people to share their attack tools, enabling them to expand an attack’s scale by bringing in more users. With more devices sending requests to a target IP, server, or website, the DDoS attack will be more successful.
By sharing targets and their respective port numbers, hacktivist groups can orchestrate significant attacks against prominent domains because the DDoS tools have a lower barrier for entry for people with less technology experience. While infecting enough devices to create a botnet requires resources to develop a malware, crowdsourcing eliminates that cost. With a few volunteers who share the same political ideology, a group and share an attack tool and engage in loose coordination across a few thousand volunteers, enabling them to deploy a large-scale DDoS attack.
The rise of Telegram eliminates the need to have specialized skills for accessing the dark web. Hacktivist groups create Telegram channels that provide like-minded individuals an easy way to join them. These channels typically share the attacks’ outcomes with a live stream of screenshots from showing:
- Website unavailability
- 502 errors
- Bad gateways
- 429 errors
While creating a dark web forum is time consuming and accessing one requires unique skills, Telegram offers the following benefits:
- Instant messaging capabilities, including emojis
- Easy creation and deletion of channels
- Ability to click “like” or “share” for easy image dissemination
- Ineffective moderation allowing groups to stay online without anyone detecting or erasing the channels or accounts
We’ve identified three categories of victims in our research:
- Government ministries: high level prominent website representing official governments and bodies
- Innocent bystanders: organizations related to the country but not involved in the conflict, like hospitals, schools, retail organizations, banks
- Sympathetic geographic regions: targeting companies after their home country announces providing aid to one member of the conflict
Crowdsourcing DDoS in the Real World
The tool creators use open source software and make the tools publicly available, giving researchers insights into how the technology’s work. Additionally, the open source nature makes it easier for threat actors to copy/paste from known working models so they can more rapidly deploy their own models.
Over the last few years, some hacktivist groups have begun commodifying and monetizing their activities to expand their reach beyond people aligned to their political philosophies and attract people who want fast money.
IT Army of Ukraine
The first explosion of crowdsourced DDoS attacks began with Russia’s invasion of the Ukraine in early 2022. Two days after the initial invasion, the IT Army of Ukraine, a volunteer-based collective, sprang into action and found support from the country’s official government with ministers of technology putting out a tweet that invited people to join the Telegram channel. Targeting prominent Russian and Belarusian digital assets, the group created several tools intended to cripple aggressor economies, including:
- MHDDoS: “user-friendly” interface that automatically downloads and selects working proxies rather than requiring VPN
- DB1000N (“Death by 1000 Needles”): Go-based tool
- Distress: Rust-based tool
- ADSS (Automatic DDoS Server Starter): shell script for Linux that automates self-updating, determining operating system version, installing DDoD tools and firewall, and setting to automatically start during Linux boot
- UKITA (Ukraine IT Army Installer): all-in-one suite for Windows
- UAshield: DDoS tool with a custom leaderboard to incentivize volunteer participation
The IT Army of Ukraine also creates “leaderboards” that appeal to users’ competitive nature.
NoName057(16)
Launched in March 2022, this pro-Russian group provides a custom multi-platform tool named “DDoSia” for simplified attack crowdsourcing that targets American and European entities, like:
- Government websites
- Banks
- Healthcare organizations
- Schools
- Municipal governments
NoName057(16) built on the leaderboard model to include monetary compensation using cryptocurrency wallets attached to the user’s Telegram address so that they can receive weekly payment tied to their proportional impact.
Cyber Army of Palestine
Launched on October 14, 2023, the Cyber Army of Palestine engages primarily in anti-Israel DDoS campaigns using a recycled version of the IT Army of Ukraine’s UAShield tool. Politically aligned with Hamas, the group’s logo and infographics use “Tufan al-Aqsa” which translates to Al Aqsa Flood, the nickname used for the October 7 attack on Israel.
The Telegram channel has engaged administrators and volunteers answering questions and sharing political imagery. Its tool dynamically pulls targets at coordinated attack times, so all users need to do is launch the tool and keep it running in the background. The group administrators push the targets to the tool so the attack commences automatically.
The group uses a Hamas-themed rank system that incentivizes participation by linking successful DDoS contributions connected to HTTP GET requests sent to the ranks of key Hamaz figures. The scale ranks users from 0 to 24, with levels that include:
- Rank 12: Yahya Ayyash, bombmaker assassinated in 1996
- Rank 17: Mahmoud al-Mabhouh, military commander assassinated in Dubai in 2010
- Rank 23: Sheikh Ahmed Ismail Hassan Yassin, Hamas founder and spiritual leader assassinated in a 2004 airstrike
- Rank 24: Izz ad-Din al-Qassam, nationalist and Islamic militant leader from 1930s after whom Hamas named its militant wing
The Cyber Army of Palestine is the first hacktivist group that actively pairs its DDoS attack capabilities with a specific geopolitical group.
Mitigations
To protect themselves, organizations need a defense-in-depth approach that includes technology and information.
Content Delivery Network (CDN)
A CDN can distribute incoming traffic to dilute an attack’s impact. By concealing the server’s real IP address, the CDN makes executing a direct Layer 4 attack more difficult.
Firewalls
Organizations can choose various options in their CDNs and firewalls to mitigate risk, including:
- Set rate limiting to send one request per minute
- Use IP scoring to see connections from VPNs
- Use geoblocking to mitigate risks of inbound traffic, especially for organizations that focus on their local communities, like hospitals or public school districts
Threat Intelligence
Proactive online forum and threat actors communications monitoring provides insights about potential attacks targeting the organization. A threat intelligence tool can:
- Provide automated alerts when threat actors mention the company’s domain on the dark web or in Telegram channels
- Identify when hacktivists mention a company’s IP addresses or name
- Give advanced warning since crowdsourced attacks discuss a specific future time
With a threat intelligence platform, companies can prepare for and mitigate risks of the high volumes of HTTP traffic that DDoS attacks generate.
How Flare Can Help
The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and illicit Telegram channels 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.
Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools.
Learn more by signing up for our free trial.
