This week, ProtonMail made headlines for being targeted by a massive DDoS attack after having caved-in to $6,000 ransom demand made by the group that was behind the attack. The two-stage attack, which eventually took down the ISP, and the hype that surrounded it seemed to confirm a theory that I read about not long ago: DDoS attacks are the perfect smoke screen for APTs and silent data breaches.
The new attack against ProtonMail seems to fit-in with the trend of growing DDoS attacks, both in diversity, complexity and quantity. DDoS attacks and are becoming a serious source of income for hackers, as time-critical businesses such as banks and financing companies usually prefer to pay the attackers rather than to risk the more heavy losses that the possible down-time of the attack can incur.
But we should look at DDoS attacks as more than simple, one-time attacks that are finished when the network clears out. Black hats rarely use these kinds of attack in isolation from others. Cases where DDoS attacks take down victim networks for many days are becoming rarer, and most cases last no more than minutes or hours, which isn’t enough time to deal serious harm to the victim in terms of business, unless it’s a really popular website.
Moreover, with the development of more complicated protective systems, taking down major e-commerce players will cost the attackers heavily in resources and gear. Also, since they’re not secretive in natures, DDoS attacks are quickly reacted to by law enforcement agencies and cybersecurity companies, which means that except in cases where the agressors are backed by state-level resources, they’ll be hard-pressed to maintain their attack once it begins.
However, when a company or organization is targeted, the entire IT and security staff becomes involved in relieving the network of the pesky botnets that are eating up its resources. And while the entire IT security team is fast busy remediating the attack, it’s likely that no one will keep an eye on the less obvious security alerts being generated by the system. This can create the perfect window of opportunity for attackers to target the victim in other ways while the DDoS and DoS is being carried out.
This is why instead of using DDoS as the main attack vector, many black hats use them as a smoke screen to carry out more serious data breaches. Many things can help these secondary breaches go unnoticed:
- While struggling with the immediate threat of DDoS attacks, security staff will usually overlook the less obvious alerts that more secretive attacks leave behind.
- Even after the attack is mitigated, infosec folk will usually be too overwhelmed and exhausted to go over the boring security logs that the system has generated in the past days.
- Many companies use log rotation mechanisms that clear out old logs when the number of records exceeds a certain amount, which means it is likely that alerts generated by other breaches will be overwritten by the huge amount of alerts generated during the DDoS attack.
If you’re following my train of thought, this means that you might be hacked in half dozen ways while you’re being DDoSed, and you’ll never understand. That’s a notion that I think ProtonMail should take seriously, and double check its systems in the aftermath of the major DDoS it just suffered.
Therefore, never take DDoS attacks lightly, and always check your website for other security flaws. And never underestimate the threat of secret attacks that might happen under the smoke screen.