Hackers Target New NATO Member Sweden with Surge of DDoS Attacks

According to metrics collected by network performance management provider Netscout, distributed denial of service attacks (DDoS) targeting Sweden surged in volume between 2023 and 2024 as the country was in the process of joining NATO. Netscout notes that DDoS attacks against Swedish organizations started picking up significantly in late 2023 with 730 Gbps attacks. On February 14, Sweden’s Foreign Minister hinted at Hungary’s approval of their bid to join NATO, triggering a recorded 1524 simultaneous DDoS attacks aimed at Swedish infrastructure the very next day. These attacks peaked on March 4, 2024, three days before the official announcement of Sweden joining NATO, reaching a whopping 2275 attacks in a single day - a 183% increase compared to the same date in 2023.

Security Officer Comments:
Ever since Russia’s invasion of Ukraine, pro-Russian cybercriminal and hacktivist groups have actively launched attacks against Ukraine and its NATO allies. Many of the attacks observed so far can be attributed to groups like NoName057, Anonymous Sudan, Russian Cyber Army Team, and killnet, all of which have pledged their support for Russia in the ongoing conflict. These attacks have focused on defacing the critical infrastructure of Ukraine and its allies in an attempt to give Russia an advantage in the war and dissuade further support for Ukraine. Sweden is the latest country to join NATO, following in the footsteps of Finland. While attacks launched by pro-Russian groups have managed to disrupt crucial services of Ukraine and its allies, the military alliance of countries in Europe and North America continues to grow as NATO admits new members.

Suggested Corrections:
DDoS attacks pose a significant challenge for defense because it's challenging to differentiate between legitimate and malicious packets. Typically, DDoS attacks exploit either bandwidth or application vulnerabilities.

There are several methods to counter DDoS attacks:
  • Sinkholing: In this strategy, all incoming traffic is redirected to a "sinkhole" where it's discarded. However, this approach has a drawback as it eliminates both legitimate and malicious traffic, resulting in a loss of actual customers for the business.
  • Routers and Firewalls: Routers can help by filtering out nonessential protocols and invalid IP addresses, but they become less effective when a botnet employs spoofed IP addresses. Firewalls face similar challenges when dealing with IP address spoofing.
  • Intrusion-Detection Systems (IDS): These solutions employ machine learning to identify patterns and automatically block traffic through a firewall. While powerful, they may require manual adjustments to avoid false positives.
  • DDoS Suggested Corrections Appliances: Various vendors offer devices designed to sanitize traffic through techniques like load balancing and firewall blocking. However, their effectiveness varies, as they may block legitimate traffic and allow some malicious traffic to pass through.
  • Over-provisioning: Some organizations opt for extra bandwidth to manage sudden traffic spikes during DDoS attacks. Often, this additional bandwidth is outsourced to a service provider that can scale up during an attack. However, as attacks grow in scale, this mitigation approach may become less cost-effective.
These methods represent different strategies organizations employ to defend against DDoS attacks, each with its advantages and limitations.