2024 is the year of the hacktivist. Here’s what that means for the world.

Distributed denial of service  

A denial of service (DoS) attack aims to overload a computer system or network with traffic, making it unavailable to its intended users. A DDoS attack is the more sophisticated version of a DoS attack – DDoS attacks are harder to prevent, because they use multiple coordinated devices to flood the targeted service. Typically, a network of compromised computers (i.e. a botnet) is used to conduct a DDoS attack.  

DDoS attacks are typically short-lived; however, an overloaded server can cause significant downtime that affects services for extended periods. Typically, DDoS attacks target customer landing sites, login pages and application programming interfaces (API) because they have a significant impact on the user base.   

Not only are DDoS attacks hard to prevent, but they can also:

• cause significant reputational damage;   
• harm search engine optimisation (SEO) – meaning that a website becomes less visible to search engines like Google; and   
• create recovery costs.   

DDoS attacks may also be used as a distraction for other, more damaging attacks (such as ransomware). This highlights the need for meticulous planning and testing of DDoS incident responses.

Graph 1: Total number of daily DDoS attacks across a range of groups tracked by Thomas Murray

Government offices/agencies make for favoured targets, as hacktivists view disrupting their operations as key to bringing their political agendas and ideologies to public attention. Logistical hubs, on the other hand, make for prime targets because supply chain disruption causes high levels of economic loss and can create chaos.   

The banking and financial sector is also becoming an increasingly important target for hacktivist groups. 

Why banks?  

After the initial invasion of Ukraine on 12 March 2022, SWIFT disconnected seven Russian banks to comply with EU Council Regulation 2022/345. Pro-Russian hacktivist groups have attacked banks in Europe or NATO-aligned nations and made direct reference to this decision in their public posts. The aim is to make the population of these target states experience the same levels of frustration and inconvenience as Russian nationals.  

Banks tend to have large user bases, so targeting them can cause significant disruption. The hope is that the affected users will become disillusioned with their country’s support of Ukraine. Although downtime is usually minimal, operational delays can be serious.  

A strict regulatory environment applies further pressure to banks, and threat actors play on their fears of fines and reputational damage. Furthermore, interrupting services could make the country’s financial infrastructure appear unstable, with implications for the wider economy.  

Successful attacks against central and global banks burnish an adversary’s reputation and highlight their capabilities. The adversary will show off their ability publicly, and these sorts of attacks often make the news and local media. This attention helps spread the adversary’s political aims and ideology.  

February 2023 was a key turning point; Anonymous Sudan began targeting Swedish and Danish entities before joining pro-Russian groups in switching its focus to other NATO-aligned targets. It is also important to note that these groups also have a declared collaboration with members of the former ransomware gang REvil.

Based on both the profiles of those targeted and Thomas Murray’s analysis of the posts made by adversaries in which they explicitly state why they are choosing specific targets, figure 1 shows those entities most at risk from sustained DDoS attacks.   

Targets are chosen based on their perceived geopolitical alignment, even though this may not be accurate. What matters is the adversary’s perception of the target’s sympathies.

Figure 1: Who is at risk?  

Summary  

Hacktivist groups have already promised further attacks on banks and the wider financial industry. This is, in part, because of the widespread economic and humanitarian impact of the sanctions on Russia. These threats, when coupled with the data collected by Thomas Murray, are evidence that 2024 will be an especially difficult year for the global financial sector when it comes to fending off cyber attacks.   

Recommendations  

• Understand your organisation’s attack surface. This will help protect against adversaries exploiting its vulnerabilities. Thomas Murray’s Orbit Risk can assist with continuously monitoring both your organisation and your third parties for real-time and emerging risks.  
• Consider DDoS protections, such as implementing load balancers and content distribution networks, along with next-web application firewalls.  
• Develop an incident response and recovery plan. Ensure that this is tested and maintained to ensure all contact information is up-to-date.  
• Implement multifactor authentication (MFA) and the principle of least privilege to reduce the risk of unauthorised access.  
• Conduct penetration testing of your network and use specific threat-hunting services.  
• Run network and endpoint monitoring. 

Questions to ask your organisation