New DDoS Attacks Hit Game SitesExperts: Are Hacktivists Testing Strength of Botnet?
Distributed-denial-of-service attacks continue to spread to other sectors beyond banking.
See Also: 2021: The Cyber-Attack Outlook
Last week, DDoS experts who track and monitor online activity say, three online role-playing game sites were hit by Brobot, the massive botnet that since mid-September has been used by hacktivists to attack leading U.S. banks.
Although none of the sources would name the sites struck by DDoS, they do say these are not online-gambling sites. The targeted sites are used for online role-playing competition among gamers - a community that often has hacktivists among its circle, one source suggested.
That is, in part, why the attacks against these sites is interesting, says Dan Holden, director of ASERT for Arbor Networks Inc., a network security and anti-DDoS provider.
"It seems like a super-strange targeting change," he says. "It's possible that someone may have gotten into the Brobot network and is hijacking it, or [the hacktivists] are simply renting it out. Now the question is, 'Why?'"
Another DDoS expert, who asked not to be identified, says the attacks could suggest something more nefarious. "They just hit these sites with DDoS," the source says. "There was no compromise of data. It's almost as if they're trying to start a fight, to get other hackers, who also often play on these sites, to fight back."
And if that is the case, then the attacks could be a sign that the hacktivist group Izz ad-Din al-Qassam Cyber Fighters, which has taken credit for the attacks on U.S. banks, is trying to test the strength and power of its botnet.
Connecting the Bots
Holden says there's no doubt that the botnet used against these game sites is the same botnet that has been striking U.S. banking institutions. New attack tools built into Brobot for Izz ad-Din al-Qassam Cyber Fighters' third phase of DDoS attacks, which kicked off Feb. 25, match the tools that were used against the game sites.
In reviewing attack patterns from last week - when Izz ad-Din al-Qassam Cyber Fighters claims it hit PNC Financial Services Group, BB&T, JPMorgan Chase & Co., Union Bank, Capital One and others - Holden says it's clear Brobot's increasing size has fueled more dynamic attacks, allowing the hacktivists to launch multiple strikes against different targets simultaneously.
"The randomization of the attacks is something we've seen in the third phase," Holden says of those attacks on banks. "They have introduced new tools, and as they go along, they are learning more and more about the websites they are targeting."
That is how Arbor was able to connect the attacks to those waged against gamers, he says.
"This is really just more about the fact that the tools were built out to target these sites," Holden says. "They aren't as generic as the tools we saw during the first two campaigns."
Holden says the new tools include scripts that take aim at specific targets. "That's how we ran across the gaming-attack piece," he says. "Obviously, this one just has a lot more questions around it. I think we need more time to track the developments in the new scripts that are coming out to see what might be next."
More Signs of Spreading Attacks
The strikes against gamers aren't the first DDoS-attack deviations the industry has noted. On March 7, DDoS protection provider Prolexic announced it had worked with an unidentified metropolitan U.S. utility company to mitigate a DDoS attack that in mid-February hit the company's website, as well as its online payment and automated pay-by-phone billing systems.
The attack took those online platforms offline for two days, although Prolexic pointed out that there was no evidence to tie the utility attack to Izz ad-Din al-Qassam Cyber Fighters.
"Utilities are another vertical market that is likely to be victimized in the coming months as attackers look beyond daily targets like e-commerce and financial services," says Stuart Scholly, president of Prolexic, in a statement issued about the utility-attack investigation. "Attackers are targeting network infrastructures to cause collateral damage to other shared resources, so organizations must think about their different areas of vulnerability beyond website URLs."