As Geopolitical Tensions Rise, So Do Opportunities for Cybercriminals
When several official government websites in Taiwan were taken down by a series of distributed denial of service attacks (DDoS) in early August, the timing was not random.
The attacks — which targeted the office of Taiwan’s President, its National Defence Ministry, and its Foreign Affairs Ministry — came as U.S. House Speaker Nancy Pelosi was set to visit the island. For Pelosi, the visit demonstrated an “unwavering commitment to Taiwan’s democracy.” For China, which claims Taiwan is a renegade province, the visit was a threat to the peace of the Taiwan Strait.
Hours before Pelosi’s plane touched down at Taiwan Taoyuan International, which was also targeted, the office of Taiwan’s president said it had received 200 times more traffic than on a normal day. As a result, the site was down for approximately 20 minutes.
These attacks are politically motivated, with strong evidence that they were launched by pro-China, patriotic threat actors rather than the government itself. Unfortunately, it is another example in which DDoS attacks are used as geopolitical protest, waged to impact governments and critical infrastructure worldwide. With this trend on the rise, organizations must act now to protect themselves.
DDoS Activity Follows Geopolitical Crises in APAC
Examining the threat landscape over time reveals the relationship between rising geopolitical tensions and DDoS activity. For example, while most geographical regions experienced a decline in the number of DDoS attacks during the last six months of 2021, one outlier saw an uptick in DDoS activity — Asia Pacific (APAC). As detailed in NETSCOUT’s 2H 2021 Threat Intelligence Report, this region accounted for more than 1.2 million attacks during the second half of 2021, representing a seven percent increase from the first half of the same year.
This uptick in attack activity mirrors the rising geopolitical tensions in the region, specifically between China, Hong Kong, and Taiwan. Historically speaking, China has engaged in the use of DDoS attacks as a tool to disrupt online traffic and activities. As such, the number of attacks in APAC increased alongside growing geopolitical unrest in the region is of little surprise, with threat actors operating in the area taking advantage of this unrest by launching DDoS attacks to cause maximum disruption.
To better understand how threat actors use cyberattacks in relation to geopolitical tensions, there are several examples of attacks and incidents relating to the APAC region during the second half of 2021. In July, China was widely condemned for launching a series of cyberattacks, ranging from cyber extortion and crypto-jacking to hacks and ransomware. Targets of the attack, including the U.S., UK, and other global allies, believed the attacks were aiming for the capture of trade secrets, business intelligence and vaccine studies.
In November 2021, the director of Taiwan’s cybersecurity department claimed that the island’s government agencies were targeted by an estimated 5 million cyberattacks and probes per day. Furthermore, Taiwan officials claimed that China had increased the number of cyberattacks launched against its government and organizations in direct correlation to China’s attempts to make the island a part of its own territory. Finally, at least 13 organizations in industries that included defense, healthcare, and transportation were targeted by a suspected Chinese cybersecurity campaign in December. Vulnerable software in more than 600 U.S. businesses played a significant role in this breach taking place.
Security for Organizations in Impacted Nations
When countries experience heightened geopolitical tensions, organizations within their borders can take several steps to prevent DDoS attacks from devasting their online infrastructure.
Perhaps most importantly, enterprises must implement a sturdy DDoS mitigation system to protect their online infrastructure. Secondly, service providers and companies with business-critical public-facing internet properties must maintain a high degree of situational awareness, and continually assess potential risks. During periods of geopolitical unrest, the situation constantly shifts, requiring organizations to keep abreast of what’s happening and how events may impact the threat landscape.
Regular testing of online infrastructure is crucial to prove that updates and adjustments to applications, assets, and services integrate with the DDoS mitigation strategy. Conversely, when the DDoS protection system is adjusted or optimized, those updates must be tested against all of the infrastructural components. A robust testing and validation regime ensures that mission-critical, public-facing features aren’t impacted by an attack.
Because they are relatively inexpensive and easy to pull off, protestors and activists will continue to rely on DDoS attacks to disrupt businesses and governments on behalf of their own nations. And even if they don’t have the approval of their government themselves, these actors are more likely to take advantage of political chaos. Organizations, whether government or business, don’t need to be collateral damage, because the tools and services to mitigate DDoS attacks are widely available.
