Posted on April 15, 2022 at 5:06 PM

Coordinated DDoS attack targets two government ministries in Finland

Distributed denial-of-service (DDoS) attacks have become increasingly popular. The hackers behind such attacks have gone so far as to target government ministries, as evidenced by the recent targeting of government ministries in Finland.

In Finland, the Ministry of Foreign Affairs and the Ministry of Defence have become victims of a recently detected botnet known as Zhadnost. The botnet was used to conduct DDoS attacks on the two government ministries.

Zhadnost DDoS botnet used to target Finland

Evidence of the Zhadnost DDoS attacks points to the attackers being affiliated with Russia. The SecurityScorecard (SSC) threat researchers found similarities between the recent attack and previous ones that have been conducted by pro-Russian actors.

The DDoS attack in question occurred on April 8. It was done simultaneously when the Ukrainian President, Volodymyr Zelensky, gave a virtual address to the Finnish parliament.

Tensions between Russia and Finland have been high since the onset of the Russian invasion of Ukraine. Hours before this attack, it was alleged that Russia had violated the Finnish airspace. A Russian Ilyushin IL-96-300 aircraft entered the Finnish airspace, but it was not established that it was a military plane.

The attackers sustained the DDoS attack on the two government ministries for around four hours. The attack was launched from over 350 unique addresses distributed to different countries. However, the bots used were mainly based in Africa and Bangladesh.

Out of the total bots used, 82% were MikroTik routers. These routers are produced in Latvia by MikroTik, a firewall hardware and routing manufacturer. The routers mainly target emerging markets. The other bots used in the recent DDoS attack were a combination of devices running on Apache, Caddy Server and Squid Proxy.

According to Ryan Slaney, a researcher with SSC, MikroTik routers are known to contain several vulnerabilities. This makes them a perfect target for cybercriminals that want to exploit the vulnerabilities to launch more attacks. Currently, there are around 875,000 units that have been deployed, showing a large number of entry points that can be used by the threat actors to conduct a series of attacks.

DDoS attack linked to Finland’s pursuit of NATO membership

In a disclosure notice, Slaney added, “the makeup of these bots is nearly identical to that of the Zhadnost botnet, which was responsible for three separate DDoS attacks against the Ukrainian government and financial websites before and shortly after the Russian invasion of Ukraine.”

The researcher also pointed to the similarities between the recent attack on Finland to the attack on Ukraine. Pro-Russian threat actors targeted the Ukrainian government departments on February 18. Like in the recent attack, the DDoS attack on Ukraine was conducted using MikroTik routers, Squid Proxy and Apache devices. 

The SSC researchers analysed the attack to gather more information about the Zhadnost botnet. They said that “with the addition of the more than 350 bots we identified in this campaign, SSC is now aware of nearly 3350 bots that make up the Zhadnost botnet.”

Following the recent invasion of Ukraine by Russia, there has been a growing need for neutral countries to join the NATO alliance. Some of the neutral countries in Europe and Finland and Sweden, and the recent event show that such countries are pushing for a speedy NATO membership.

Russia has been advocating against a growing NATO presence in the East, and the Russian foreign policy is committed to keeping these neutral countries away from getting a NATO membership.

According to the SSC researchers, the recent DDoS attack is linked to the pursuit of Finland to become a member of NATO. The researchers’ analysis show proof that the attacks were conducted by Russian-affiliated threat actors but did not issue a precise statement that Russia was behind the attack.

The DDoS attack did not have a long-lasting effect. The attacked websites were swiftly restored. However, the SSC believes that the attacker did not intend to cause long-lasting damage but only wanted to show their capabilities.

However, Slaney noted that Finland was vulnerable to more cyber attacks soon following the country’s pursuit of a NATO membership. If the events indicate that Finland is inching closer to securing the membership, it could increase tensions, and more severe attacks could be conducted on Finnish government ministries or other critical sectors.

“Based on prior history of Russian attacks, the next play in the Russian cyber threat actor playbook would be deployment of wiper-style attacks, possibly against critical infrastructure and government targets,” the announcement added.