Middle East financial institution hit with six-day DDoS attack

Avatar

An unnamed financial institution in the Middle East was hit with a distributed denial-of-service (DDoS) attack earlier this year that featured multiple waves adding up to about  100 hours over six days. 

Researchers at cybersecurity firm Radware said the attack was launched by a group called SN_BLACKMETA, which they claims is made up of pro-Palestinian hacktivists. They based that assessment on the group’s Telegram channel and X account as well as the range of organizations targeted.   

The researchers declined to answer questions about what financial institution was attacked or where it is based but explained that the incident stood out because it spanned across six days  and peaked at 14.7 million requests per second (RPS). As an example of the scale, Google said it stopped a 2022 attack that peaked at 46 million RPS  — equivalent to “receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds.” 

The SN_BLACKMETA incident consisted of four- to 20-hour waves of DDoS attacks on the financial institution averaging about 4.5 million RPS.

“During the six days, a financial institution located in the Middle East was under attack 70% of the time. While under attack, the ratio of legitimate to malicious web requests was as low as 0.002% and averaged 0.12%,” the researchers said

“Throughout the attack campaign, the attacker tried several times to overrun the customer’s web applications but failed to impact the services. Ultimately, after six days and 100 hours of generating malicious web requests, the attacker moved on.”

The types of DDoS attacks launched by SN_BLACKMETA and other hacktivist organizations attempt to overwhelm websites with a flood of traffic, making them temporarily unavailable to users. 

Days before the incident, SN_BLACKMETA took to Telegram to explicitly say it would attack the financial institution. A search of the group’s Telegram page shows the hackers have threatened and targeted dozens of Middle East financial institutions, including the Israeli International Bank

The researchers believe the hackers used InfraShutdown — a popular DDoS for hire service that has subscription fees for about $500 per week. 

While government officials say most DDoS attacks are launched as a result of business or gaming disputes, Russia-based groups have used the tactic widely against the U.S. and other institutions opposed to the country’s invasion of Ukraine.

Read More: Major Russian banks hit with DDoS attacks as Ukraine claims responsibility

SN_BLACKMETA has operated its Telegram channel since November 2023, boasting of DDoS incidents and cyberattacks on infrastructure in Israel, the Palestinian Territories and elsewhere. While all of the group’s messages focus on the Palestinian Territories and perceived opponents to Palestine, many of its posts are written in Russian. 

The group’s account on X also shows that it was created by someone in Staraya, a town in Novgorod Oblast, Russia. The account’s initial language was also set to Russian.

The researchers added that analysis of timestamps and activity patterns showed possible evidence that the actors within the group are operating in a timezone “close to Moscow Standard Time (MSK, UTC+3) or other Middle Eastern or Eastern European time zones (UTC+2 to UTC+4).” 

The researchers noted that the group’s tactics, methods and targets resembled that of Anonymous Sudan — another alleged hacking group largely launching DDoS attacks against organizations. 

All of the countries attacked by SN_BLACKMETA were previously attacked by Anonymous Sudan and there is a 70% overlap in countries targeted by both. Most notably, SN_BLACKMETA has targeted organizations connected to the UAE. The group’s Telegram feed is full of messages criticizing the government of the UAE for its perceived support of Israel and for its alleged involvement in the current Sudanese civil war.

In addition to the UAE, the group has attacked the International Airport of Azrael and the Saudi Ministry of Defense.

Infrastructure organizations in Canada and France as well as telecoms in Israel and the Tel Aviv Stock Exchange were also attacked as the group continued its campaign through March. In May and June 2024, they expanded to target tech giants like Microsoft, Yahoo and Orange. 

On Telegram and other social media sites, the group boasted of its DDoS attacks on infrastructure across the Middle East and claimed it was all done “as retribution for perceived injustices against Palestinians and Muslims.”

“Their targets typically include critical infrastructure such as banking systems, telecommunication services, government websites and major tech companies, all reflecting a strategy to disrupt entities viewed as complicit in or supportive of their adversaries,” the researchers said.

“Their operations reveal a methodical expansion of targets, sophisticated public relations tactics, probable collaborations with other cyber groups, and a very likely connection to Sudan.”

CybercrimeNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

Tech giants say spyware victims should be able to sue NSO Group in US

Next Post

Bug in update checker blamed for CrowdStrike outages as Congress demands hearing

Related Posts

New Linux Malware ‘sedexp’ Hides Credit Card Skimmers Using Udev Rules

Cybersecurity researchers have uncovered a new stealthy piece of Linux malware that leverages an unconventional technique to achieve persistence on infected systems and hide credit card skimmer code. The malware, attributed to a financially motivated threat actor, has been codenamed sedexp by Aon's Stroz Friedberg incident response services team. "This advanced threat, active since 2022, hides
Avatar
Read More