2022 was a turbulent year full of regional conflicts. NSFOCUS Global Threat Hunting System detected a large number of DDoS worldwide in 2022, with some governments or banks suffering from the largest attacks in their history.
Launching a DDoS attack is not expensive but can paralyze critical infrastructure and network systems, bringing huge economic losses and damaging the victims’ reputation. Plus, attack tools and services are easy to access, so DDoS attacks have always been one of the most common attacks in cyberspace.
NSFOCUS keeps tracking and analyzing DDoS attack trends and publishes the DDoS attack landscape report each year to help organizations build dynamic protection schemes to defend the increasingly complicated DDoS attacks. The 2022 Global DDoS Attack Landscape has been published recently. Download the Report. According to the report, DDoS threats have maintained consistent growth over the past four years and terabit DDoS attacks frequently emerged.
Here we compiled a list of significant DDoS attacks in 2022. Combined with the 2022 Global DDoS Attack Landscape, we hope we can help you to know the trends to keep an eye on for 2023 and plan/adjust your DDoS mitigation solution in advance.
The Nobel Foundation and the Norwegian Nobel Institute disclosed a cyber-attack that unfolded during the award ceremony on December 10, 2021. As revealed, the institution’s site was hit by a DDoS (distributed denial of service) attack which aims to overwhelm a website with high volumes of “garbage” traffic and a large number of bogus connection requests. “The cyberattack subjected the websites to extremely high loads and was designed to try to prevent our ability to update and publish new information about the Nobel Prize and the achievements of the Nobel Laureates,” details the official announcement.
Vodafone Portugal suffered a cyberattack causing country-wide service outages, including the disruption of 4G/5G data networks, SMS texts, and television services.
The Ministry of Defense and the Armed Forces of Ukraine and two of the country’s state-owned banks, Privatbank (Ukraine’s largest bank) and Oschadbank (the State Savings Bank), are being hammered by Distributed Denial-of-Service (DDoS) attacks.
the Russian government released a massive list containing 17,576 IP addresses and 166 domains that it said are behind a series of distributed denial-of-service (DDoS) attacks aimed at its domestic infrastructure. Some of the noticeable domains in the listing released by Russia’s National Coordination Center for Computer Incidents (NCCCI) included the U.S. Federal Bureau of Investigation (FBI), and Central Intelligence Agency (CIA).
Israel’s Nation Cyber Directorate confirmed that a denial-of-service (DDoS) attack against a telecommunications provider took down several government sites, as well as others not affiliated with the government. The incident led to the Directorate to briefly declare a state of emergency, while sources said the cyberattack was the largest ever against Israel. The sites for the Israeli departments of interior, health, justice, welfare and even the Prime Minister’s office were taken offline due to such a large-scale attack.
Beijing’s health code app, known as Jiankangbao, suffered a cyber attack from overseas on April 28. The attack occurred when the use of the application was at its peak, and a preliminary analysis showed that the hack originated from overseas, said Wei Bin, vice director of the news division of the publicity department of the CPC Beijing Committee, at a press conference on pandemic control. The attack was thwarted effectively and in time by the app’s maintenance team, and services were not affected. The threat actor used the disclosed malicious code family Fbot as an attack weapon. The botnet maps three C&C domain names to multiple IP addresses through DNS domain names for load balancing.
From March 29 to April 10, 2022, the total number of unique Fodcha bots (IPs) has exceeded 62,000, and daily numbers fluctuate around 10,000. The top provinces that the bots are coming from are the Shandong Province (12.9%), the Liaoning Province (11.8%) and the Zhejiang Province (9.9%). The service providers that these bots originate from are China Unicom(59.9%), China Telecom(39.4%), and China Mobile(0.5%).
On May 6, 2022, Sberbank says it repelled the biggest DDoS attack it has ever seen, measured at 450GB/sec. The malicious traffic that supported the attack against Sberbank’s main website was generated by a botnet with 27,000 compromised devices located in the United States, the U.K., Japan, and Taiwan.
Italy’s Computer Security Incident Response Team (CSIRT) disclosed the attacks on the country’s government, ministry, parliament, and even army websites. The CSIRT warned that attackers used “Slow HTTP” technique and characterized “slow HTTP” as an unusual type of DDoS attack, warning system administrators that their existing defenses may not be effective if they are not targeted towards the attack. Pro-Russian hacktivists known as the Killnet group claimed responsibility for the attacks.
Norway’s National Security Authority (NSM) published a statement warning that some of the country’s most important websites and online services are being rendered inaccessible due to distributed denial of service (DDoS) attacks. The statement further explains that a criminal pro-Russian group is believed to be behind the attacks.
Lithuanian energy company Ignitis Group was hit by what it described as its “biggest cyber-attack in a decade” when numerous distributed denial of service (DDoS) attacks were aimed at it, disrupting its digital services and websites. Pro-Russian hacking group Killnet claimed responsibility for the attack on its Telegram channel, making this the latest in a series of attacks launched by the group in Lithuania due to that country’s support for Ukraine in the war with Russia.
Google says it blocked an HTTPS-based DDoS attack that peaked at 46 million requests per second, at least 76% larger than its the previously reported record. According to experts, the attack involved more than 5,000 IP addresses from 132 countries, with around 30 percent of the traffic coming from Brazil, India, Russia, and Indonesia. The geographical distribution and botnet characteristics suggest the use of the Mēris family.
Lumen Technologies successfully mitigated a 1.06Tbps attack that was part of a larger campaign targeting a single victim. Lumen reported stopping an attack with a capacity of over 1 terabyte per second on the servers of its client. At the time of the attack, the target servers were hosting a gaming service. In the week leading up to the incident, the attackers tested various DDoS methods and studied the victim’s protection capabilities by issuing commands to bots from three different C2 servers.
The LockBit ransomware operation’s data leak sites have been shut down over the weekend due to a DDoS attack telling them to remove Entrust’s allegedly stolen data. In late July, digital security giant Entrust confirmed a cyberattack disclosing that threat actors had stolen data from its network during an intrusion in June. LockBit claimed responsibility for the attack and began leaking data. This leak consisted of 30 screenshots of data allegedly stolen from Entrust, including legal documents, marketing spreadsheets, and accounting data. Soon after they started leaking data, researchers began reporting that the ransomware gang’s Tor data leak sites were unavailable due to a DDoS attack.
According to the data from the NSFOCUS Global Threat Hunting System, the trend of DDoS attacks against Brazil was unusual in 2022. There was a significant increase in July and August, which was suspected to be related to the upcoming Brazilian election in October. In a series of DDoS attacks monitored by NSFOCUS Global Threat Hunting System, critical sectors including government agencies, educational institutions, news agencies, and communication operators in Brazil were attacked.
Russian resources suffered from DDoS attacks by pro-Ukrainian hacktivists. Victims included the Unistream, Korona Pay, and Mir payment systems, as well as the Russian National Payment Card System, which ensures the operation of Mir and the Faster Payments System. What’s more, activists brought down the website, call center, and SMS provider of Gazprombank; Otkritie Bank noted disruptions to its internet banking service and mobile app, and SberBank reported 450 repelled DDoS attacks in the first two months of Q3. According to SberBank, this is the same number as in the previous five years put together.
The pro-Russian hacktivist group ‘KillNet’ claimed large-scale distributed denial-of-service (DDoS) attacks against websites of several major airports in the U.S., making them unaccessible. Notable examples of airport websites that were unavailable include the Hartsfield-Jackson Atlanta International Airport (ATL), one of the country’s larger air traffic hubs, and the Los Angeles International Airport (LAX), which is intermittently offline or very slow to respond.
Sberbank, the most important bank in Russia, repelled one of the biggest cyber attacks in its history, which lasted 24 hours and seven minutes, the institution’s vice-president, Stanislav Kuznetsov, informed. The DDoS attack involved at least 104,000 hackers with at least 30,000 computers located in different countries, Kuznetsov told Rossiya 24 television channel on Tuesday.
A dark web carding market named ‘BidenCash’ released a massive dump of 1,221,551 credit cards to promote their marketplace, allowing anyone to download them for free to conduct financial fraud. BidenCash is a stolen cards marketplace launched in June 2022, leaking a few thousand cards as a promotional move. The threat actors announced the credit card dump on new URLs BidenCash launched late September in response to DDoS attacks, so it could be a way to promote the new shop domains.
Pro-Kremlin KillNet hackers took down the website of the European Parliament in a DDoS attack that came just hours after the legislative body declared Russia a terrorist state.
Russian brokerage companies were subjected to a wave of the most powerful DDoS-attacks in history, which caused technical problems in the operation of their websites and deprived users of access to their services for several hours, company StormWall reported. According to the company’s experts, in the past there were registered only isolated cases of attacks on brokers, and only with the purpose of extortion. This time there were really powerful series of attacks on several companies at once, including BCS, Finam and Otkrytie investments.
Russia’s second-largest financial institution VTB Bank encountered the worse cyberattack in its history after its website and mobile apps were taken offline due to an DDoS attack. “It is not only the largest cyberattack recorded this year, but in the entire history of the bank.” stated a VTB spokesperson. The bank says its internal analysis indicated the DDoS attack was planned and orchestrated with the specific purpose of causing inconvenience to its customers by disrupting its banking services.