In the first two weeks of April, sudden spikes of traffic started hitting gaming and gambling sites in Hong Kong. The increased rush weren’t anxious gamers looking to place bets, but a DDoS attack designed to take the sites offline.
The unusual activity hounding sites in Hong Kong was caught by Security Engineering and Response Team at Arbor Networks, a cyber security firm based in the U.S.
A massive influx of traffic from China starting pouring into the territory on April 6, and carried out in blasts through April 13. During that time frame, Hong Kong was the top destination for targeted attacks, topping the U.S., which routinely receives the highest percentage of DDoS attacks.
It’s uncommon for Hong Kong to attract such attention from a DDoS, or Distributed Denial of Service attack. The types of attacks use coordinated machines to direct an overwhelming amount of traffic at a single target.
These attacks—often carried out by massive networks of compromised internet-connected devices coordinated as part of a botnet—can often force a service offline. DDoS attacks are difficult to mitigate because they cannot be stopped by simply blocking one source.
Because the traffic comes from anywhere from dozens to thousands of individual locations, it can also prove next to impossible to distinguish legitimate traffic from attack traffic or determine the origin of the attack.
That anomalous activity detected by Arbor Networks—during which Hong Kong received 28 and 39 percent of all attacks greater than 10 Gbps in size in the two respective weeks—caught the eye of Kirk Soluk, the manager of the company’s Threat Intelligence and Response team.
According to Soluk’s analysis, the attack was likely an attempted extortion attack, designed to knock a target offline until they are willing to pay to make the attack stop.
“Gambling sites and gaming sites that have a financial component are a particularly attractive target,” Soluk told International Business Times, “due to the money the sites stand to lose if they are not available.”
Extortion attempts have been on the rise in recent years, in part because of the wider availability of tools used to perform such attacks and in part because businesses and individuals are more reliant on digital services—trusting digital systems with sensitive data and financial information.
According to a recent report by Symantec, ransomware attacks, which attempt to extort money from individual users and businesses by encrypting their files and demanding payment to decrypt them, rose by 36 percent in 2016—and the average ransom cost increased by 266 percent from the previous year.
DDoS attacks are often used to hit larger organizations rather than single users or small networks like ransomware, but it can have an impact on others beyond the intended target.
Soluk warned that DDoS attacks could potentially compromise users of an attacked site and in some cases even put them at physical risk, like in a November 2016 attack in Finland that damaged the heating systems of residential properties in the dead of winter.
“Fortunately, we haven't seen a large-scale critical infrastructure outage directly attributed to a DDoS attack but it's certainly not out of the realm of possibility,” Soluk said. “More notable are outages that result in financial losses for organizations whose Internet presence is taken offline as well as inconveniences for end users wishing to purchase goods or even play games.”
There is collateral in any attack of such magnitude, and the bombardment of Hong Kong gaming sites was no exception. While those sites took the brunt of the traffic, a number of other sites also got hit, including two domains belonging to hospitals.
Given that 29 total online gambling and gaming sites were hit in the same surge of traffic, it seems obvious those were the true targets. What is less clear is who carried out the attack.
The vast majority of the traffic came from China, and in some cases such a direct stream directed at domains of one territory can be indicative of cyber warfare between states.
DDoS attacks have become tools of war, and have been seen in attacks like the one launched against the former Soviet Republic of Estonia. Much of the nation was taken offline by a DDoS attack that hit government and private sector servers after Estonian government decided to move the Bronze Warrior, a Soviet World War II memorial, and angered Russian leadership.
It’s also noteworthy that Hong Kong itself has been hit by DDoS attacks before. Those came in 2014 following a growing pro-democracy movement that was angered in part by China’s influence in the territory’s elections.
Despite the history, and the onslaught of traffic driven from China, there isn’t much indication that the attack on Hong Kong gaming sites was in any way a politically motivated attack.
“Geography has to be taken in proper context, particularly when considering the source of an attack,” Soluk explained. “It is easy for an attacker sitting anywhere in the world to launch a DDoS attack from anywhere else in world.”
Because of the targets of the attack, Soluk concluded the hit on Hong Kong gaming sites was more likely to be financially motivated than part of an ongoing geopolitical battle between two territories.
The attacks have ceased and the dust has cleared from the torrential traffic, but it’s not clear if that means the targets are in the clear. The attacks came out of nowhere, spiking with little indication and disappearing back into the ether.
That type of uncertainty can’t be planned for, but Soluk said it can be mitigated to some degree with preparedness. He advised sites and online services to follow best current practices for architecting and protecting network infrastructure, including having trained staff that regularly conduct DDoS war games to test the system and utilizing an Intelligent DDoS Mitigation System (IDMS) to help counteract an attack.