Pro-Russian hacking group Killnet has claimed credit for a series of distributed denial-of-service (DDoS) attacks executed against US airport websites on October 10. Several websites for airports across the US were affected, including Los Angeles International Airport (LAX), Chicago O’Hare (ORD), and Atlanta Hartsfield-Jackson International. While the attacks did take down websites for some time, it appears that airport operations were not affected. But these DDoS attacks, and the motivation behind them, raise questions about growing cyber threats to critical infrastructure.
These DDoS attacks are not the first time Killnet has made headlines. Just weeks before, the hacktivist group claimed credit for cyberattacks against the Colorado, Kentucky, and Mississippi state government websites. The Cybersecurity & Infrastructure Security Agency (CISA) released an alert in April (updated in May) on Russian state-sponsored and criminal cyber threats facing the critical infrastructure sector. The alert featured a number of threat actors targeting critical infrastructure, including Killnet.
Airports were able to restore function to their websites relatively quickly following the DDoS attacks, but it is important to note the vulnerabilities attackers were able to exploit. “FlyLAX.com, for example, operates utilizing the Nginx server, which is particularly vulnerable to attacks given its open-source nature. Open-source code is easy for hackers to exploit, and it is slow to be patched,” Richard Gardner, CEO of technology company Modulus, explains. He recommends moving away from open-source servers and code to help prevent cyberattacks.
DDoS attacks like this do not cause damage to underlying systems, but that doesn’t mean they can be easily dismissed. Attacks like these “…erode the confidence in our cybersecurity protection for critical infrastructure services we rely on,” Matt Hayden, vice president of cyber client engagement at IT company General Dynamics Information Technology (GDIT) and former assistant secretary for cyber, infrastructure, risk, and resilience policy at the US Department of Homeland Security, points out.
In light of Russia’s ongoing war in Ukraine, pro-Russian threat actors are likely to continue targeting countries that support Ukraine. CISA warned that “…Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity” in its April alert.
Killnet rallied supporters by posting its intended targets on messaging service Telegram. These DDoS attacks were successful in causing disruption and garnering significant amounts of media attention, and other threat actors could be interested in achieving that same success.
“Even if Killnet remains focused on DDoS attacks to shake American confidence in its institutions, because this was an ideological attack, it is likely that there will be others who are inspired to pick up the mantle and escalate,” Gardner says.
DDoS attacks are on the rise in 2022. Web performance and security company Cloudflare reported that it has seen some of the largest ever DDoS attacks in the second quarter of this year. In Q2, application-layer DDoS attacks were up 72% year-over-year, and network-layer DDoS attacks were up 109% year-over-year.
Victims of DDoS attacks may escape more serious damage, such as leaked data, but their vulnerability to cyber threats is now public knowledge. “After being hit with a DDoS, it is important to identify the type of attack that occurred and the source(s) of the attack. This should be used to evaluate architecture or application security changes that can be used to mitigate or stop future attacks,” says Sally Vincent, senior threat research engineer at IT security company LogRhythm. “Organizations hit by a KillNet DDoS attack should evaluate their entire attack surface in case KillNet switches tactics or uses DDoS to cover up other attacks.”
Using an onslaught of requests to overwhelm and crash websites, DDoS attacks are a relatively rudimentary tool for threat actors. Critical infrastructure is also an appealing target for attacks that do more lasting damage than DDoS campaigns. “My grave concern is that these DDoS attacks serve as a smokescreen for [a] long-term intrusion campaign,” Tom Kellermann, CISM, senior vice president of cyber strategy at security technology company Contrast Security, cautions.
Critical infrastructure is certainly susceptible to cyberattacks. “With distributed assets and a mix of legacy and modern equipment, real-world operations have been incredibly difficult to secure, making them prime targets for ransomware and nation state attacks,” says Roman Arutyunov, co-founder and vice president of products for zero-trust security company Xage.
Killnet’s latest attacks are an opportunity to examine critical infrastructure cybersecurity and prepare for potentially more damaging attacks that could lead to widespread service disruptions affecting critical services like power, fuel, supply chain, and healthcare.
Adopting cybersecurity best practices, like zero trust and vulnerability scanning, can help potential targets protect themselves from DDoS attacks. Vincent also recommends threat intelligence monitoring. Targets may be announced ahead of attacks; Killnet named the airport website targets on Telegram and called for support.
“Given their [Killnet’s] motivations, I’d suspect that they will likely continue to target critical infrastructure in NATO countries, and we’ll need to be ready for it,” Arutyunov concludes.