Netscout: 10 Million DDoS Attacks in 2020Researchers Say Pandemic Triggered Surge in Activity
The number of distributed denial-of-service attacks launched in 2020 surpassed 10 million, up from 8.5 million in 2019, according to NetScout's Atlas Security Engineering and Response Team.
See Also: Automating Security Operations
DDoS attacks are often waged as part of extortion campaigns, with hackers threatening to escalate attacks if a ransom is not paid.
NetScout noted the the number of DDoS attacks exceeded 800,000 per month starting in March 2020, when the spread of the COVID-19 virus was declared a pandemic, peaking in May 2020 when 929,000 were launched. By comparison, the number of attacks each month averaged about 725,000 in 2019.
"DDoS attack count, bandwidth and throughput all saw significant increases since the start of the global COVID-19 pandemic," say NetScout researchers Richard Hummel and Carol Hildebrand, citing the company’s findings.
The researchers note the number of malware samples targeting IoT devices last year doubled, compared to 2019. The hackers waging DDoS attacks pushed out malware to pull additional unprotected IoT devices into their botnets to help fuel additional attacks.
Tracking DDoS Attacks
North American entities were hit most often by DDoS attacks in 2020, followed by South Korea, the U.K., Brazil and China, NetScout’s research shows.
Most of the attacks targeted broadband providers. "However, we also observed cloud providers, e-commerce and education break into the top targeted industries in light of the new dynamics with COVID and education and shopping taking place over the internet," the researchers note.
Scale of Attacks Increasing
NetScout found the size of DDoS attacks varied by region, with the largest attack last year - with 1.12 TB of data per second sent – occurring in the EMEA [Europe, Middle East and Africa] region, the researchers say. The fastest attack - at 586 MB per second – was in the Asia Pacific region.
"Notably, the bandwidth and throughput for attacks often change, and we will go long periods of time between very large and very fast attacks,” the researchers say. “However, in most countries and regions, the throughput of attacks continues to increase, while the duration of attacks continues to decrease, resulting in faster, shorter attacks that become more difficult to mitigate.”
Lazarus Bear Armada
The NetScout researchers singled out one DDoS threat group, Lazarus Bear Armada, as being particularly active last year. After originally concentrating on the financial services sector, the group branched out to target larger healthcare enterprises, including insurers, medical testing companies and global pharmaceutical companies.
"Some of these businesses were involved in COVID-19 testing and the development of vaccines,” the researchers say. “While it is doubtful that the attackers aimed specifically to disrupt the work, the fact that these companies had both deep pockets and urgent deadlines made them prime targets."
This year, the Lazarus Bear Armada gang is again targeting organizations it hit last year that refused to pay a ransom when threatened with escalated DDoS attacks. It's threatening them with additional DDoS attacks if they continue to reject paying ransoms, according to the researchers (see: DDoS Attackers Revive Old Campaigns to Extort Ransom).