Russian Hacktivists Overwhelm Spanish Sites With DDoS

Cyber Security Threat Summary:
“A leading Spanish research institute has become the latest organization in the country to come under cyber-attack from Russia, after a weeks-long DDoS campaign that appears to be geopolitically motivated. Local reports claimed that prolific hacktivist group NoName057 is responsible for the DDoS blitz, which impacted at least 72 websites between July 19 and 30” (Info Security Magazine, 2023).

The attacks have impacted banks, telecom providers, media and tourism companies in the latest campaign. Impacts began following a trip by Prime Minister Pedro Sanchez to Kyiv in which he expressed Spain’s support of Ukraine. Victim websites included La Moncloa, the official residence of the PM, the Constitutional Court, the ministries of justice and territorial policy, and Ministry of Defence agency Isdefe.

Security Officer Comments:
NoName057 has been linked to previous attacks on organizations in Ukraine allies Poland and Lithuania as well as presidential candidates competing in the Czech Republic. While DDoS attacks are more of a nuisance that overly impactful, carrying out these attacks is inexpensive and relatively easy, especially for less sophisticated threat actors.

Another hacking group KillNet, has been quite active since the start of the Russian invasion of Ukraine. Recently, Killnet has been targeting government websites, banks and airports with a coordinated distributed denial-of-service (DDoS) campaign, a relatively unsophisticated attack which works by directing high volumes of internet traffic towards targeted servers in order to knock them offline.

We expect hacktivist activity from Russian hacktivists groups to continue to target opponents of Russia.

Suggested Correction(s):
DDoS attacks are difficult to defend against as legitimate vs illegitimate packets are hard to distinguish between. Typical DDoS attacks will either abuse bandwidth or applications.

There are various methods of defending against DDoS attacks.

Sinkholing: In this approach, all traffic is diverted to a “sink hole” where it is discarded. The problem with this method is that both good and bad traffic is removed, and the business loses actual customers.

Routers and firewalls: Routers can be used to stop attacks by filtering nonessential protocols and invalid IP addresses, but when a botnet is using a spoofed IP address, this makes the filtering process worthless. Firewalls also have difficulties when actual IP addresses are spoofed.

Intrusion-detection systems: These solutions can leverage machine learning to recognize patterns to automatically block traffic through a firewall. These technologies are not always automated and may require fine tuning to avoid false positives.

DDoS mitigation appliances: Various vendors make devices designed to sanitize traffic through load balancing and firewall blocking. Organizations have had varying levels of success with such products, some legitimate traffic will get blocked, and some bad traffic will still get through.

Over-provisioning: Some organizations choose to leverage extra bandwidth to handle sudden spikes in traffic during a DDoS attack. This bandwidth is often outsourced to a service provider who can pick up the bandwidth during an attack. As attacks grow larger, this mitigation technique may become more expensive and less viable.

More information on DDoS Attacks by CISA: