NoName on Rampage! Claims DDoS Attacks on Ukrainian Government Sites

The NoName ransomware group recently posted a list of their latest DDoS attack victims on their data leak site. Many of these victims include Ukrainian entities such as Accordbank, Zaporizhzhya Titanium-Magnesium Plant, State Tax Service, Central Interregional Tax Administration, Western Interregional Tax Administration, and the Main Directorate of the State Tax Service in Kyiv. Researchers say the websites belonging to these entities suffered from connectivity issues following the DDoS attacks, causing the sites to display “403 forbidden” and other error messages.

Security Officer Comments:
NoName is a ransomware group that has been in operation since March 2022, relatively around the same time that the conflict in Ukraine was initiated. Details regarding this group and its members remain a mystery. However, operations conducted so far indicate that this group is either backed by a government entity or is launching attacks in support of Russia in the ongoing war. Since 2022, NoName actors have continued to launch attacks against Ukrainian entities. This group has also gone after Finnish government organizations, in retaliation for the country joining NATO. As opposed to other ransomware groups, NoName actors seem to be more focused on taking the critical infrastructure of targeted organizations rather than financial gain.

Suggested Corrections:
DDoS attacks pose a significant challenge for defense because it's challenging to differentiate between legitimate and malicious packets. Typically, DDoS attacks exploit either bandwidth or application vulnerabilities.

There are several methods to counter DDoS attacks:

Sinkholing: In this strategy, all incoming traffic is redirected to a "sinkhole" where it's discarded. However, this approach has a drawback as it eliminates both legitimate and malicious traffic, resulting in a loss of actual customers for the business.

Routers and Firewalls: Routers can help by filtering out nonessential protocols and invalid IP addresses, but they become less effective when a botnet employs spoofed IP addresses. Firewalls face similar challenges when dealing with IP address spoofing.

Intrusion-Detection Systems (IDS): These solutions employ machine learning to identify patterns and automatically block traffic through a firewall. While powerful, they may require manual adjustments to avoid false positives.

DDoS Suggested Corrections Appliances: Various vendors offer devices designed to sanitize traffic through techniques like load balancing and firewall blocking. However, their effectiveness varies, as they may block legitimate traffic and allow some malicious traffic to pass through.

Over-provisioning: Some organizations opt for extra bandwidth to manage sudden traffic spikes during DDoS attacks. Often, this additional bandwidth is outsourced to a service provider who can scale up during an attack. However, as attacks grow in scale, this mitigation approach may become less cost-effective.

These methods represent different strategies organizations employ to defend against DDoS attacks, each with its advantages and limitations.