DDoS attacks are on their way to becoming the most common cyber threat of recent years, but sometimes they are used to distract businesses while cybercriminals sneak in through the back door. An organization’s online services, such as email, websites, and anything that faces the internet, can be slowed or completely stopped by a DDoS attack.
For data centers, hosting services, and other service providers, DDoS attacks threaten the infrastructure that provides network and service availability to its customers and can also target the most valuable customers. For gaming companies, DDoS attacks are a serious blow to operations, as gamers cannot access their favorite pastime activity. And For Banks, the damage is extremely severe, as customers cannot use online banking services – and these are mere examples.
A successful DDoS attack can seriously damage a brand’s reputation and cost millions of dollars in revenue. In the midst of the chaos and disruption caused by a DDoS attack, cybercriminals often attempt to carry out other malicious activities while security teams are preoccupied with mitigating the DDoS attack.
The practice of using DDoS attacks as a distraction for other cybercrimes has been observed in various instances throughout the history of cybersecurity. Here are a few notable examples:
1. The 2012 South Korean DDoS Attacks:
In March 2013, South Korea experienced a series of DDoS attacks that targeted major government and media websites. These attacks were intended to distract and divert the attention of security personnel while a more serious data breach was carried out.
The actual cyber intrusion involved the theft of sensitive data from banks and other organizations. It was speculated, at the time, that some of the stolen information could have been used for additional Social Engineering attacks, and even Phishing attacks.
2. The 2020 New Zealand Stock Exchange Outages:
In August 2020, the New Zealand Stock Exchange (NZX) experienced multiple DDoS attacks that disrupted its trading operations for several days. It was never confirmed, but it was heavily insinuated that the attacks may have been used to divert attention from other activities, such as data theft or financial fraud.
The DDoS attacks had a significant impact on the NZX’s operations. Trading was disrupted, and the exchange had to halt trading on several occasions due to the inability to handle orders and maintain market integrity. This affected both local and international investors who use the NZX to trade securities. While the exact motives behind the attacks were not immediately clear, they were widely speculated to be financially motivated or aimed at causing disruption to the financial markets.
DDoS attacks on stock exchanges can be used to create chaos in financial markets, potentially affecting stock prices and investor confidence. None of the impacted organizations elaborated on any cyber breach, but due to the nature of stocks and their tendency to drop in value following a hazardous breach, it is easy to understand why an organization would want to keep this information disclosed.
3. The 2016 Dyn Cyberattack:
In October 2016, the “Dyn” DNS provider experienced a massive DDoS attack that disrupted internet services for many major websites and services, including X (then known as Twitter), Netflix, and Amazon.
The attack was executed using a botnet of compromised IoT devices. While the attack itself was disruptive, it was later speculated that it may have been used as a smokescreen to divert attention from other cyber activities, such as data breaches, personal information theft for future social engineering attacks, or other attacks.
4. The 2015 Carphone Warehouse Breach
In 2015, Hackers reportedly swamped the UK-based Carphone Warehouse (a mobile phone retailer) with junk traffic as a smokescreen, before breaking into systems and stealing the personal details of 2.4m customers. Up to 90,000 customers may also have had their encrypted credit card details accessed. Customers with accounts at OneStopPhoneShop.com, e2save.com, and mobiles.co.uk were also potentially affected by the data breach.
While never admitting how this incident was made possible, the attack was carried out while Carphone Warehouse was in the process of merging with Currys to create a new business entity, and it is possible that while merging, the DDoS protection services were exposed and misconfigured.
5. Operation Carbanak (2015-2016):
Operation Carbanak, which spanned from 2015 to 2016, was one of the most high-profile cybercrime campaigns that targeted financial institutions worldwide (including banks, credit unions, and other financial organizations). Its main objective was financial gain. The hacker group behind the operation used a combination of various cyberattack methods, including DDoS attacks as a diversionary tactic.
The initial infection often occurred through spear-phishing emails that tricked employees into clicking on malicious attachments or links. Once inside the network, the attackers would then establish a foothold and start their reconnaissance. DDoS attacks were one of the threat actor’s diversionary tactics. They would launch DDoS attacks against the target’s network to distract and overwhelm security teams, making them focus on mitigating the DDoS threat while the group conducted their primary attacks, using their own Carbanak malware.
While the security teams were occupied with the DDoS attacks, the group would exploit their access to steal money from the financial institutions. This often involved transferring funds to accounts under their control or manipulating financial systems to create fraudulent transactions.
What Can You Do?
The ramifications of a successful DDoS attack can be catastrophic, dealing a severe blow to a brand’s reputation and translating into millions of dollars in lost revenue and reputational damages. Yet, lurking in the shadows of this chaos, threat actors might seize the opportunity to carry out more sinister deeds while security teams battle the DDoS attack.
The only reason for a DDoS attack to succeed is misconfigurations in the DDoS protection deployed, leading to vulnerabilities. For an organization to have complete confidence in its DDoS resilience, it must continuously test its security posture in order to avoid the next successful attack – because the next one could very well be just a smokescreen.