The hackers got more time off this Christmas this year as a present from law enforcement: Europol this week coordinated a takedown with 15 countries worldwide that seized 27 of the most popular distributed-denial-of-service (DDoS) platforms and took them offline.
Known as “booter” and “stresser” websites, these platforms let cybercriminals and hacktivists flood targets with illegal traffic, rendering websites and other web-based services inaccessible.
Taken down as part of an ongoing international crackdown called “PowerOFF,” the DDoS platforms also launched attacks on numerous government sites in the United States: the Department of Justice, FBI, Homeland Security Investigations, and the Defense Criminal Investigative Service (DCIS).
“The festive season has long been a peak period for hackers to carry out some of their most disruptive DDoS attacks, causing severe financial loss, reputational damage and operational chaos for their victims,” said a Europol press release. “The motivations for launching such attacks vary, from economic sabotage and financial gain to ideological reasons, as demonstrated by hacktivist collectives such as Killnet or Anonymous Sudan.”
Europol’s takedown of 27 DDoS-for-hire platforms as part of “Operation PowerOFF” is certainly a commendable achievement for law enforcement agencies, said Tom Hegel, principal threat researcher at SentinelLabs. Hegel said these platforms have enabled widespread abuse, impacting individuals, organizations, and critical infrastructure worldwide, so their removal represents a meaningful step in combating the threat.
“However, the question of whether such takedowns are ‘working’ is more complex,” said Hegel. “Historically, efforts like these do disrupt criminal operations temporarily and send a strong signal that these activities won’t be tolerated. Yet, they don’t always lead to a lasting reduction in the underlying issue. Cybercriminals often adapt quickly, setting up new services or switching tactics. For instance, decentralized platforms or private networks might emerge as replacements. Additionally, the targeted attacks on U.S. agencies, underscore how accessible and impactful these services have become.”
Damir J. Brescic, chief information security officer at Inversion6, added that because of the success of these takedowns, it’s obvious that law enforcement’s overall commitment to combating cybercrime has gleaned results. However, Brescic said from a long-term effectiveness standpoint, reducing the prevalence and impact of these types of attacks is still up for debate.
“While these stories do get sensationalized in the media, from an overall industry perspective these types of successes are only addressing a small portion of the DDoS threat landscape,” said Brescic. “Since Covid, there has been an excessive uptick in these types of nefarious platforms that can be found on the dark web, where threat actors of various experience levels can gain the necessary tools to launch these types of attacks.”
What’s sometimes lost in these types of articles, said Brescic, is the fact that threat actors have multiple tools and methods available to them. A great example of this is botnet technology, used to carry out attacks that are often much more difficult to detect and take down.
“Additionally, even when these platforms are taken down, another threat actor can quickly emerge in their place,” said Brescic. “These takedowns do not address the root cause of DDoS attacks. Many of these attacks are launched in response to political or economically motivated situations, and taking down a platform will not change those motivations. As long as there’s demand for a DDoS service, threat actors will find a way to meet the demand, even if it means creating new platforms.”
Ken Dunham, cyber threat director at the Qualys Threat Research Unit, said law enforcement actions do make a difference, but it always depends upon how adversaries choose to respond. Dunham said in some cases, pressure and arrests results in release of source code, which may result in a surge of attacks using sophisticated attack code that was formerly private as a form of plausible deniability by authors of formerly exclusively held code.
“In other cases, arrests can cause actors to move away from a code base or campaigns that were formerly a notable threat,” said Dunham. “In other situations, actors adapt, like cockroaches that simply move to another room when you move the couch, when pressure is applied, taking on new codes and tactics to further nefarious means and motives.”
Sarah Jones, cyber threat intelligence research analyst at Critical Start, said law enforcement’s commitment to combating cybercrime is evident in the recent coordinated takedown of DDoS attack platforms. Jones said while these platforms are often marketed as legitimate tools for stress testing, they are frequently misused to facilitate malicious attacks.
“By dismantling these services and identifying over 300 customers, law enforcement agencies aim to disrupt the entire ecosystem addressing both the supply of these tools and the demand from those who use them for illegal activities,” said Jones. “The long-term effectiveness of such measures, however, remains questionable. Cybercriminals are highly adaptive and have historically shown resilience by migrating operations or establishing new platforms. The LockBit takedown in February, for instance, demonstrated how quickly a cybercrime group can pivot and resume activity after a disruption.”
© Copyright 2024 CNB Tel. All rights reserved