Hacktivists use proxy services from Russia, China for 'billions of designed-for-abuse connection attempts'
Cybercrime has skyrocketed since the start of the Iran war, according to Akamai, which reports a 245 percent increase in everything from credential harvesting attempts to automated reconnaissance traffic aimed at banks and other critical businesses.
Banking and fintech have been the hardest hit, accounting for 40 percent of the malicious traffic since February 28, followed by e-commerce (25 percent), video games (15 percent), technology firms (10 percent), media and streaming services (7 percent), and other industries (3 percent), the CDN provider said.
Most of the internet traffic Akamai has logged thus far has been infrastructure scanning and reconnaissance efforts, with botnet-driven discovery traffic jumping 70 percent and automated recon traffic up 65 percent. The firm also reported a notable uptick in widespread scanning of infrastructure and exposed services (up 52 percent), credential harvesting attempts (45 percent), and reconnaissance ahead of distributed denial of service (DDoS) attacks (38 percent).
REG AD
This includes an unnamed US financial services company that blocked 13 million packets originating from Iran over the last 90 days, with a network traffic flood exceeding 2 million packets on February 9 – in the lead-up to the military strikes – and then a couple of other spikes immediately after the conflict started.
REG AD
However, not all of the malicious traffic originated from Iran. The embattled theocracy accounted for only 14 percent of the source IPs, compared to Russia (35 percent) and China (28 percent). This doesn't necessarily mean that the threat groups carrying out the cyber activities are based in these two counties. Both China and Russia have historically turned a blind eye toward digital-crime networks and services operating out of their countries – just as long as the attacks don't target Chinese and Russian government agencies or organizations.
As Akamai notes, "geopolitically motivated hacktivists are using proxy services in countries like Russia and China as a source for billions of designed-for-abuse connection attempts."
At the beginning of March, Palo Alto Networks' Unit 42 senior manager Justin Moore told The Register that the threat-intel team has tracked an uptick in pro-Russian hacktivists.
This, Moore said, is "effectively expanding the Middle East's attack surface, and potentially exposing regional infrastructure to high-disruption tactics historically used by these groups against NATO and European interests."
Some of these groups are closely tied to – or even cyber arms of – government intelligence agencies. This appears to be the case with Handala, an Iranian hacktivist crew believed to be a front for the Ministry of Intelligence and Security (MOIS), that claimed to be behind a destructive, data-wiping attack against Stryker, a global medical technology company headquartered in Kalamazoo, Michigan.
Akamai suggests that organizations that do not "conduct business in certain geographies, or if it offers a service for which it is unlikely to have legitimate users outside specific regions of the world (e.g., financial services, public utility companies, or healthcare organizations, among others)," deny all traffic from those regions.
Of course, being a CDN and security vendor, Akamai suggests organizations do this using its firewall – but this is sane advice during times of geopolitical conflict no matter whose networking and security gear you use. ®