On October 10, 2022, the threat group “KillNet” claimed a number of denial-of-service (DDoS) attacks against websites of several major airports in the U.S.
Context
Airport sites targeted in the campaign include the Hartsfield-Jackson Atlanta International Airport (ATL), the Los Angeles International Airport (LAX), the Chicago O’Hare International Airport (ORD), the Orlando International Airport (MCO), the Denver International Airport (DIA), the Phoenix Sky Harbor International Airport (PHX), and some smaller regional airports in Kentucky, Mississippi, and Hawaii.
According to Bleeping Computer, KillNet actors are “relying on custom software to generate fake requests and garbage traffic directed at the targets with the goal of depleting their resources and making them unavailable to legitimate users.”
Community Impact
KillNet is a Russian state-backed actor that regularly targets public-facing organizations, both private and public sector, with pro-Russian messaging in website defacements and DDoS attacks. Since the invasion of Ukraine by Russian military forces in February 2022, the group has been active in targeting organizations in countries publicly opposed to Russian actions in Ukraine. Last week the group carried out several DDoS attacks against local government websites in U.S. states.
Many retail, hospitality, and travel organizations operate close partnerships with the airports targeted in the current DDoS campaign, whether by having restaurant locations or gate desks inside airports. As such, the retail, hospitality, and travel sectors are advised to remain particularly vigilant regarding the KillNet group. Spillover attacks and a pivot to airlines/retailers/restaurants operating in airports are possible.
Defensive Recommendations
Organizations are encouraged to review best practices for defensive controls against DDoS attacks, including:
- Design a Robust Architecture
- It is crucial to ensure that your IT infrastructure doesn’t have any single points of failure that a cyber-attacker could exploit. This could mean ensuring that data servers have different networks and paths, locating servers in separate data centers in different geographical points, and securing the diversity of service providers.
- Use Cloud-Based Hosting From Major Providers
- Closely related to designing a robust architecture, cloud-based hosting typically uses multiple servers to store files. Suppose one of those servers goes down because of a DDoS attack. In that case, other servers can offer reprieve, ensuring you don’t experience any downtime because resources will be shared across multiple servers. When deciding on a hosting provider, consider whether the provider hosts websites through major providers or using their own servers.
- Have a DDoS Response Plan
- What will your business do if and when a DDoS attack happens? What are the notification and escalation procedures? By ensuring you have a plan in place, you’ll be able to respond promptly and effectively when attackers target your network. The challenge here is that the more complicated the infrastructure, the more intricate your DDoS plan will have to be.
- Have a Static Version of Your Website
- Having a static version of your website can help remediate DDoS attacks since you will have a place to send the traffic if the website does go down. A static version of your website requires significantly less processing power and bandwidth to lower some of the load on your company’s servers.
- Incorporate AI into your security stack
- Given the scale and speed by which attackers launch DDoS attacks, humans are just not effective responders. Types of security systems leveraging artificial intelligence (AI) can learn what “normal” for a business is. AI can even respond to a DDoS attack — when an “abnormal” uptick in traffic occurs, AI can analyze the traffic and block access from suspicious locations to enforce the “normal.”
In addition to these best practices, RH-ISAC recommends the following actions:
- Continue to aim for speedy and complete patching of vulnerable systems and assets, and the implementation of access control security measures.
- Dust off and update response playbooks, and if possible, conduct response exercises with a focus on potential threats related to the current crisis.
- Stay informed and keep stakeholders informed. Educating workforces to be vigilant and not fall prey to phishing and other threats that try to capitalize on topics of current interest is also vital.