Number: AL23-014
Date: September 15, 2023
Audience
This Alert is intended for IT professionals and managers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Details
Since 13 September 2023, the Cyber Centre has been aware and responding to reports of several distributed denial of service (DDoS) campaigns targeting multiple levels within the Government of Canada, as well as the financial and transportation sectors.
This Alert is being published to raise awareness of these campaigns, to highlight the potential impact to government services and to provide guidance for organizations who may be targeted by malicious activity. Open-source reporting links some of this activity to Russian state-sponsored cyber threat actors whose tactics, techniques and procedures have been extensively documented Footnote 1, Footnote 2. In July 2022, the Cyber Centre assessed that Russian state-sponsored cyber threat actors would almost certainly continue to perform actions in support of the Russian military's strategic and tactical objectives in Ukraine Footnote 3. On February 24, 2023, the Cyber Centre reported on similar activity involving DDoS campaigns towards Ukraine-aligned nations Footnote 4.
Open-source reporting indicates that the actors leverage denial of service tools to harass organizations Footnote 5. This is accomplished through a collection of systems operating as a botnet that degrades a targeted web server's ability to provide services. This degradation is then publicized by the actors. In most cases, this nuisance activity can be managed by on-premises solutions; however, assistance from third party DDoS solutions should be considered to prevent significant and focused malicious activity. Websites will commonly return to a normal state of operation once the actors have stopped the malicious activity.
Suggested action
The Cyber Centre recommends organizations:
- Review perimeter systems to determine if related activity has occurred.
- Review and implement preventative actions outlined within the Cyber Centre's guidance on protecting your organization against denial-of-service attacks Footnote 6.
- Review the Cybersecurity and Infrastructure Security Agency (CISA) published guidance for US agencies to aid in DDoS considerations including technical mitigation recommendations in responding to DDOS activityFootnote 7
In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre's Top 10 IT Security ActionsFootnote 8 with an emphasis on the following topics:
- Consolidate, monitor, and defend Internet gateways
- Isolate web-facing applications
If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.