Bad actors launched an unprecedented wave of DDoS attacks in 2020

Cybersecurity firm Akamai said in a report that COVID-19 and a newfound reliance on digital tools prompted a spike.

istock-948533056.jpg

Igor Stevanovic, Getty Images/iStockphoto

For many enterprises, 2020 was a tough year for cyberattacks, with dozens suffering from devastating DDoS attacks due to the newfound reliance on digital tools, according to a new report from cybersecurity firm Akamai. 

More about cybersecurity

In its report, “Retrospective 2020: DDoS was Back — Bigger and Badder than Ever Before,” the company found that it had more customers attacked in November 2020 than any prior month going back to 2016. The company had more customers attacked over 50Gbps in August 2020 than any month before, another record that dates back to 2016. 

“In fact, across all attacks, 7 of the 11 industries we track saw more attacks in 2020 than any year to date. Think about that. This was led by huge jumps in Business Services (960%), Education (180%), Financial Services (190%), Retail & Consumer Goods (445%), and Software & Tech (196%),” the report said. 

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

“During Cyberweek 2020 alone we saw: 65% more attacks launched against our customers vs Cyberweek 2019, the number of customers targeted was up 57% YoY, and threat actors launching attacks across an expanded industry base.”

Tom Emmons, Akamai’s principal product architect, said in an interview that he and other researchers observed a “significant evolution in DDoS attacks throughout 2020, maybe the most DDoS disruption of any year on record.” 

For Emmons, the rise in the number of customers seeing attacks, the steady growth in large attacks, and the shift in industries targeted were startling and disturbing for him to see. 

“As more and more activity moved online (work, shopping, learning, etc) due to COVID-19-related restrictions and behavioral adjustments, it made internet-facing infrastructure more important. Not long after COVID-19 hit, attacks started trending up and really just continued to accelerate as the year progressed. The basic idea here is the more important something is, the more likely to be attacked,” Emmons said. 

“We saw attackers who clearly did their homework on scouting out targets in a well-coordinated manner. The most interesting thing the DDoS extortionists are doing is choosing good targets, and managing to get their emails and chats through to the right folks, navigating spam filters, and unread boxes.” 

The report cites a number of record-breaking attacks, including a 1.44 Tbps attack against a major bank in Europe as well as an 809 Mpps attack on an internet hosting provider. According to the study’s findings, some of the largest DDoS extortion campaigns took place in 2020 and the numbers only continued to grow throughout the year. 

Akamai reported that more of its customers were attacked than any other year on record since 2003, with one industry seeing a 960% increase in the number of attacks. 

The steep increase in attacks was attributed to COVID-19, which forced almost every enterprise into using some form of digital tools in order to survive. Emmons also noted that there have been improvements in the tools used for DDoS attacks, allowing less experienced attackers to go after big targets. 

When researchers mapped it out, the timing of the increases in attacks coincides perfectly with the start of the COVID-19 pandemic, particularly in Europe and the US. 

“Customers and prospects shifted to focus on protecting VPNs and communications endpoints more than ‘generic’ data centers, as their risk profile and postures rapidly evolved,” the report said. “Looking back, as businesses across all industries had to adapt to remote work and the increasing reliance on internet connectivity, it’s clear that more and more types of organizations would be attractive and lucrative targets for DDoS threat vectors.”

The report adds that the complexity of the attacks was also concerning considering the number of attack vectors and botnet tools used. In 2020, Akamai reported that 65% of the DDoS attacks they dealt with involved “multi-vector assaults” and “as many as 14 different DDoS vectors were noted in a single attack.”

There was a significant increase in extortion-related DDoS attacks that began in August but the unnerving aspect for Akamai researchers was the specificity of the surveillance done before the attacks. 

“A notable characteristic of this campaign was the level of reconnaissance conducted by the attackers prior to sending the extortion letters. The bad actors were highly targeted in their threats and wanted victims to know that they had uncovered specific weaknesses across internet-facing infrastructure or had identified revenue-impacting IPs that would be taken offline unless their Bitcoin extortion demands were met,” the report said.

“The 2020 campaign also signaled a significant shift in the types of industries typically targeted — a foreshadowing of future DDoS activity — with the threat actors pivoting from one vertical to the next depending on the week, in some cases circling back to organizations who had been previously victimized. As is the case with extortion, criminal rings won’t stop until arrests are made, and the fact that the extortion campaigns are ongoing indicates businesses are caving to their demands, which further incentivizes the activity.”

When asked about the motivations behind this increase in attacks, Emmons said most were generally launched for money, either through extortion or by attempting to damage an organization financially through disruption.

Society’s overwhelming reliance on digital tools made it easy for attackers to go after “low hanging fruit.”

The study notes that Akamai continues to see extortion-related attacks that led to a “record emergency onboarding of new customers,” with the report adding that this was a signal that the problem seems likely to persist well into 2021.

All signs point to continued DDoS attack growth. Not one of the indicators we track is flat or trending down,” Emmons said. 

“We’ve got more new customers doing emergency integrations than ever, and the percentage of customers running always on vs. on-demand defenses is at an all-time high. When in doubt follow the customers.”

Also see