Executive Summary
Journalists reported, and Cybersecurity and Infrastructure Security Agency officials confirmed, that on November 8, a DDoS attack temporarily disabled the website of a state government.
A group claiming to be pro-Russian hacktivists, CyberArmyofRussia_Reborn, claimed responsibility for the state government attack and another on the website of a U.S. political party’s governing body on the same day.
- Researchers leveraged SecurityScorecard’s exclusive data to identify traffic from IP addresses that may have been involved in the attacks.
Pairing this traffic with SecurityScorecard’s internal threat intelligence data, researchers identified IP addresses contained in blocklists (available by request) developed in the wake of DDoS attacks attributed to other Russian-speaking threat actor groups.
Researchers also identified novel IP addresses (also available by request) that had not previously appeared on these blocklists but may have participated in the attack. Adding these IP addresses to blocklists may help organizations defend against future DDoS attacks.
Officials have neither attributed the attack to that group, nor confirmed that the political party also suffered a DDoS attack. However, data collected by SecurityScorecard suggests that the same actors may have targeted both entities and that this targeting involved infrastructure previously used in other DDoS attacks claimed by Russia-aligned hacktivist groups.
SecurityScorecard assesses with moderate confidence that CyberArmyofRussia_Reborn is aware of the limited and temporary operational impact of its distributed denial of service (DDoS) attacks, but is likely to continue to conduct them due to their perceived impact on public opinion regarding the security of state governments and critical infrastructure.
Background
Citing senior Cybersecurity and Infrastructure Security Agency (CISA) officials, journalists reported on November 8 that DDoS attacks had temporarily disabled the website of a state government. A group claiming to be pro-Russian hacktivists, CyberArmyofRussia_Reborn, claimed responsibility for that attack and another on the website of a U.S. political party’s governing body on the same day, specifying one target IP address for each organization.
As of 9:30 AM EST on November 9, officials have neither attributed the attack to that group, nor confirmed that the party organization also suffered a DDoS attack. However, the party governing body’s website did experience some downtime on the day of the attack.
While made by a different group, these claims strongly resemble KillNet’s. KillNet is a pro-Russian hacktivist group that has conducted a series of relatively low-sophistication attacks throughout 2022 and claimed responsibility for DDoS attacks against state governments in early October. The group is also quite focused on publicity. It:
Cultivates a following through a Telegram channel (which it also uses to encourage followers to conduct DDoS attacks of their own)
Usually makes public announcements to claim responsibility for its attacks
In some cases, claims responsibility for attacks that may not have even happened in an apparent effort to damage the reputation of their supposed victims.
CyberArmyofRussia_Reborn’s approach to public messaging seems quite similar to KillNet’s: it uses Telegram to attract and maintain a following and expose its targets.
Since April 2022, CyberArmyofRussia_Reborn has not only claimed responsibility for its DDoS attacks, but also leaked data stolen from victims of intrusions attributed to APT28, a more sophisticated threat actor group believed to operate on behalf of Russia’s Main Intelligence Directorate (GRU). The group appears to conduct influence operations as a public-facing complement to APT28’s more covert, espionage and disruption-oriented activities. This has led analysts to assess with moderate confidence that CyberArmyofRussia_Reborn coordinates its operations with APT28. Crucially, publicity appears to be the connective tissue between its DDoS claims and the publication of stolen data, as both can serve to undermine public confidence in target organizations.
Findings
While officials have not yet attributed the state government attack to CyberArmyofRussia_Reborn, nor confirmed that the party organization also suffered a DDoS attack, data collected by SecurityScorecard suggests that the same actors may have targeted both entities and that this targeting involved infrastructure previously used in other DDoS attacks claimed by Russia-aligned hacktivist groups.
When consulting the data for traffic involving both of the IP addresses that CyberArmyofRussia_Reborn identified as their targets on the day of the attack, researchers identified considerable overlaps between the IP address that communicated with the target IP addresses and between traffic involving the target IP addresses and traffic observed in previous DDoS attacks linked to the Killnet and Zhadnost threat actor groups, both of which have also carried out DDoS attacks in support of Russian interests.
Fifty-two of the same IP addresses communicated with both of the CyberArmyofRussia_Reborn target IP addresses on the day of the claimed attacks. Of these, forty-four communicated with both target IP addresses but did not previously appear in other traffic samples collected during previous SecurityScorecard investigations into Russia-linked DDoS attacks. These forty-four IP addresses (available upon request) may therefore be novel indicators of compromise (IoCs); adding them to blocklists could help defend against similar attacks in the future.
In addition to these novel IP addresses, researchers identified 119 IP addresses that communicated with both target IP addresses on the day of the attack and appeared in SecurityScorecard’s internal threat intelligence platform because they had previously communicated with targets of DDoS attacks attributed to the KillNet and Zhadnost groups. This may suggest that different groups have employed the same infrastructure. Moreover, it indicates that these IP addresses also merit blocking to reduce the risk of future attacks from any group that happens to be using these same IP addresses.
Conclusion
These activities appear to reflect those discussed in a recent FBI Private Industry Notification, which has highlighted that the psychological impact of hacktivist DDoS attacks can often overshadow their actual (and quite limited) operational impact. As with KillNet, considering their apparent focus on publicity, SecurityScorecard assesses with moderate confidence that the CyberArmyofRussia_Reborn group is aware of the limited and temporary operational impact of its distributed denial of service (DDoS) attacks, but is likely to continue to conduct them because of their perceived impact on public opinion regarding the security of state governments and critical infrastructure.
While these findings do not prove that CyberArmyofRussia_Reborn is responsible for both attacks, or that a DDoS attack was responsible for the party organization’s service outage, it does suggest that both the state government and national party’s pages were the targets of attempted DDoS attacks that used infrastructure previously employed by other pro-Russian hacktivist groups. The overlaps in infrastructure suggested by the shared IP addresses apparently involved in attacks claimed by different threat actor groups also suggest that the same mitigations could help defend against them.
Possible Mitigations
Block the IPs in SecurityScorecard’s Bot Blocklists, available from our threat intelligence team by request.
Critically, put DDoS mitigations in place via a service like Cloudflare, Akamai, or AWS Cloudfront. Having only a firewall will not stop the volume of traffic we have observed during previous DDoS attacks.
Note that blocking Russian IPs will not stop DDoS attacks. The attacks are coming from open proxies and DNS resolvers located all over the world.
Configure DNS resolvers and proxy servers to only accept requests from internal IP addresses and authorized users unless there is a practical reason not to do so. Much bot infrastructure relies on open proxies and DNS resolvers. If all of these services were properly configured, it would be a crippling blow to botnet operators.