Introduction
An uptick in Distributed Denial of Service Attack (DDoS) incidents has been observed in the aviation industry, this article is written with intention to provide quick insights to the DDoS incidents that have occurred to the aviation industry till date.
What is the data collection Methodology ?
The data used for this analysis was filtered from the data set used in the analysis of the Aviation Cyber Threat Landscape in the previous article [1].
What is DDoS Attack?
It is a type of cyber attack that attempts to crash network, service website or server by overwhelming it with excessive network request, and it is typically launched from a network of devices controlled by attacker known as a botnet. To understand more about DDoS, refer to an earlier article on DDoS Threat Landscape [2].
What are the quick Insights based on the past aviation related DDoS incidents:
Increase in number of DDoS incidents. Based on data collected according to methodology formally mentioned, the first DDoS attack to the aviation industry was observed in 2015. In this attack, the Polish airliner LOT's system used for issuing flight plans was jammed [3]. There was no DDoS incidents observed between 2015 to 2022 to the aviation industry based on the collected data, and one possible hypothesis could because the aviation industry was less digitalized and had less internet facing assets during the period. The increase in DDoS incidents from 2022 to 2023 can be attributed to few reasons; 1.) Increased connectivity and digitalisation in the aviation/aerospace industry and 2.) increased global geo-political tensions and hactivisms. The aviation industry has become increasingly reliant on technology in recent years, with airlines, airports, and other aviation organizations using a wide range of IT systems to manage their operations. This increased reliance on technology has created a larger attack surface for adversaries to exploit, making the aviation industry a more attractive target for DDoS attacks. On the other hand, increased global geo-political tensions and hacktivisms has led to increased DDoS attacks targeting the aviation/aerospace industry. For example, in the beginning of 2023, multiple German airports' websites had suffered DDoS attacks from a pro-Russian hacktivist group that was alleged to be linked to Russia-Ukraine conflict [4].
Geo-political situations lead to an increase in DDoS attacks. Increase in DDoS incidents in EMEA in 2023 is largely attributed to geo-political tensions (E.g. Russia-Ukraine conflict). For example, in the early part of 2023, a German flagship airline experienced a DDoS attack from pro-Russian hacktivist group for reason linked to Russia-Ukraine conflict [5].
AMER - North, Central, and South America
APAC - Asia and Pacific
EMEA - Europe, the Middle East, and Africa
Majority of the incidents involved airline and airport. Airline and airport are attractive targets for DDoS attacks because these two entities provide essential services to the masses (i.e. large number of travellers) and the impact from attack is huge. Hacktivist groups were observed to have targeted these aviation entities in an attempt to disrupt aviation operations to make a political statement.
The top impact of DDoS attack to aviation industry is website outage. Websites are a common target for DDoS attacks because they are internet-facing and directly accessible to clients. This means that they are relatively easy for attackers to find and target, and they can be easily overwhelmed by a large volume of traffic.
Majority of the attackers are hacktivist groups with links to Russia
Anonymous Sudan [6]. It is a hacktivist group known to have conducted DDoS attacks against multiple countries since early 2023. While the group claims to be formed by politically motivated hackers from Sudan, its actual origin is unclear. It is not observed to have relationship with online activists collectively known as Anonymous. Rather, threat researchers have identified that it has possible logistical and ideological links to Russia.
Killnet [7]. It is observed to be a pro-Russian hacktivist group that has been known for its DDoS attacks. It has been observed to be operating since the beginning of 2022. However, killnet did not start off as a hacktivist group. Before the start of Russian-Ukraine conflict, Killnet was observed to be a cybercriminal group that operates a DDoS-for-hire service. "Killnet" is also the name for the DDoS tool offered by it on subscription basis. With the inception of the Russian-Ukraine conflict, Killnet has transformed itself to be a hacktivist group that has primarily launched cyber attacks to disrupt and damage organizations within countries that supported Ukraine or had taken actions deemed to diminish Russia's interests (e.g. imposed sanctions on Russia).
NoName Group [8]. It was observed to have performed DDoS attacks on websites belonging to a range of industries (E.g. government) in Ukraine and neighbouring countries that had supported Ukraine in the context of Russia-Ukraine conflict.
UserSec [9]. It is a pro-Russian hacker group known for its cyberattacks on government agencies in NATO countries during Russia's invasion of Ukraine.
IT Army [10]. It is a volunteer cyberwarfare organization in Ukraine created in the early part of 2022 to defend Ukrainian digital and cyberspace after the start of the Russian invasion of Ukraine. The group also conducts offensive cyberwarfare operations, and claimed to only attack military targets.
Dark Storm [11]. It is a pro-Palestinian group that was observed to have posted claims in August 2023 on Dark Web forums that it would attack Israel and preparing attacks agains Israel's European allies.
Possible DDoS Mitigation Measures
Distribute contents through content delivery network (CDN) to disperse traffic load from target server.
Implement CAPTCHA to deter bot activity.
Deploy WAF to detect anomalous traffic and potential application attacks.
Implement rate limiting and throttling to limit requests or responses that can be received or sent within a specified timeframe.
Keep software and systems up to date to remove vulnerabilities that can be exploited for DDoS.
Subscribe to cleanpipe service to block volumetric attack traffic.
Subscribe to traffic scrubbing service.
Implement blackholing to drop or redirect traffic from malicious source IP addresses.
Subscribe to cloud based DDoS protection service (E.g. AWS Route 53).
Utilize load balancers to distribute incoming traffic across multiple servers.
Resource scaling to adjust server load
Formulate a robust DDoS incident response plan.
Conclusion
This analysis aims to give readers an understanding of the DDoS threats facing the aviation/aerospace industry because DDoS attack can disrupt air transport which is an essential service. Thanks for reading this article and hope you find the information useful.
References
Bình luận