Attack on Sweden’s Media


The online editions of Sweden's media elite were knocked offline for several hours on March 19th. Hackers were able to cripple the media organizations with volumetric DDoS attacks, resulting in 3 hours of downtime for several media outlets, including Dagens Nyheter, Svenska Dagbladet, Expressen, Aftonbladet, and others.

Download a Copy Now

Abstract

The online editions of Sweden's media elite were knocked offline for several hours on March 19th. Hackers were able to cripple the media organizations with volumetric DDoS attacks, resulting in 3 hours of downtime for several media outlets, including Dagens Nyheter, Svenska Dagbladet, Expressen, Aftonbladet, and others.

The attack traffic originated from a computer network in Russia, though these machines could have possibly been hijacked. Since the beginning of 2016, improvements to DDoS attack tools have made them more powerful and allowed perpetrators to generate high volumes of traffic, challenging the most sophisticated network protection solutions (see Figure 1).

Background

On Saturday March 19th, an unknown source launched a series of coordinated denial of service attacks against a number of Swedish newspapers. Early reports suggested that Russia was behind the attack following a Swedish announcement on having to adopt a military strategy considering Russia's alleged "aggression."1

An attacker on twitter going by the name J, @_notJ, claimed responsibility for the attacks, citing that Swedish newspapers are spreading false propaganda (see Figure 2).

2 Sweden's Minister of Interior stated that the police have launched an investigationii and that the government is following the situation closely (see Figure 3). This evidence is based off of public network statistics found on Netnodiii. Forty-eight hours later, the account of J @_notJ was suspended, most likely by authorities.

Reasons for Concern

Numerous, high-profile media outlets around the world (including CBS.com) have faced denial of service attacks that caused network outages and website downtime, resulting in reputational and financial losses due to consumers turning to other outlets to receive their news.

Attacks that target news and media sites can range from nation state attackers attempting to silence media outlets to hackers testing and demonstrating the power of their stresser services. On March 18th the New World Hackers conducted a test of their stresser service that resulted in an hour long outage for CBS.com (see Figure 4). This group has also targeted the BBC with an alleged 602Gbps attack that crippled their network and affected many of BBC's services.

Targeted Sites (Confirmed)

  • SvD.se
  • Aftonbladet.se
  • Expressen.se
  • DN.se
  • GP.se
  • DI.se
  • HD.se
  • Sydsvenska.se

Suspected Attack Vectors

DNS

Attackers send frequent spoofed DNS request packets. The victim's DNS servers proceeds to respond to all requests until becoming overwhelmed.

Reflective NTP

Very hard to detect since attackers spoof a victim's NTP infrastructure. Requests look 100% normal, amplifying the target's responses by both size and frequency, thus taking them offline.

SNMP Reflection

Generating large responses to small queries. Attackers send requests with IPs belonging to the victim and tricks servers until it is flooded with data.

Scope and Volume

What's Expected Next?

Currently, denial of service attacks against Swedish media outlets appear to be over and affected websites are back online. Before the suspension of its Twitter account, the alleged attacker, J @_notJ, threatened additional attacks until Sweden changed its official news stance (see Figure 7).

Organizations Under Attack Should Consider

Effective DDoS protection elements:

  • A hybrid solution that includes on premise detection and mitigation with cloud-based protection for volumetric attacks. This provides quick detection, immediate mitigation and protects networks from volumetric attacks that aim to saturate the Internet pipe.
  • Solution must distinguish between legitimate and malicious packets, protecting the SLA while rejecting attack traffic.
  • An integrated, synchronized solution that can protect from multi-vector attacks combining DDoS with web-based exploits such as website scraping, Brute Force and HTTP floods.
  • A cyber-security emergency response plan that includes an emergency response team and process in place. Identify areas where help is needed from a third party.

Radware's hybrid attack mitigation solution provides a set of patented and integrated technologies designed to detect, mitigate and report todays most advanced threats. Dedicated hardware and cloud solutions protect against attacks in real time and help ensure service availability.

Under Attack and in Need of Expert Emergency Assistance?

Radware offers a full range of solutions to help networks properly mitigate attacks similar to these. Our attack mitigation solutions provide a set of patented and integrated technologies designed to detect, mitigate and report todays most advanced DDoS attacks and cyber threats. With dedicated hardware, fully managed services and cloud solutions that protect against attacks, Radware can help ensure service availability. To understand how Radware's attack mitigation solutions can better protect your network contact us today.



Click here to download a copy of the ERT Threat Alert. Download Now