Russian Hacktivist Group Targets Political Websites with DDOS Attacks
A Russian hacktivist group calling itself “The People’s Cyberarmy” called on its members to target the American Democratic party website at https://democrats.org with DDOS (Distributed Denial of Service) attacks this morning, November 8th, 2022, which is Election Day in the United States. A post in their Telegram channel, “CyberArmyofRussia_Reborn”, which has more than 7,000 subscribers contained targeting instructions, and the channel contains links and instructions to downloadable DDOS tools.
The group itself uses fairly unsophisticated attack methods and does not have a high likelihood of succeeding at taking down the democrats.org site, as the attack instructions include an IP address for the site that is one of four Fastly CDN IPs. This indicates not only that the site itself already has DDOS mitigation in place, but that the attackers are targeting it in a way that is unlikely to achieve their goals.
While this group does not appear to consist of particularly skilled attackers, and has until now primarily targeted Ukrainian websites, Google-owned cybersecurity firm Mandiant has noted that it has coordinated with the Russian state-sponsored threat group known as APT-28 in the past.
Skilled attackers frequently use the chaos caused by DDOS attacks as cover to gain or escalate access to a system, or to exfiltrate sensitive information. In this case it is likely that the purpose of the attacks is simply to make a statement. While the attacks on the Democratic party website have not been successful at the time of publication, they appear to have added the website of the Mississippi secretary of state, who is currently a Republican, to the list of targets.
The fact that the target URL is an easily cacheable PDF file would make it significantly more difficult to successfully take down the site but the website at www.sos.ms.gov appears to be down at this time, indicating that the group is having considerably greater success. We expect ongoing attacks on local and regional government sites throughout election day, and may update this post as more information becomes available.
Note regarding research posts that include political references: In the past we have found that posts related to an election, or that mention a political party or figure, tend to produce fiery rhetoric in the comments. We’re leaving the comments open on this post, but please note that we won’t be approving comments that are inflammatory or designed to promote a political debate on this blog. Our focus is on reporting data that helps cybersecurity analysts identify indicators of compromise, attackers, and their tactics, techniques and procedures. If you have data to bring to the conversation, we welcome your input!
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.
Comments
11:43 am
What are they trying to accomplish? Hacking Democratic websites seems to be an exercise in futility. If they want to disrupt Democratic chances in the midterms, they are probably better off going with their “usual” attempts to influence social media and spread disinformation.
1:31 pm
Would this attack have effect on people who are on various Democratic mailing lists? I am a web-designer (small), and I manage about 8+ sites, 3 of which have been very unresponsive/quirky today. I use Wordpress, in case that matters.
Thanks,
Steve Keller
1:57 pm
Hi Steve,
This shouldn't impact any additional sites that aren't being specifically targeted, and these attackers aren't particularly savvy - I'm surprised they had as much success as they did, and this group doesn't seem to have moved on from the Mississippi Secretary of State's website at this time.
2:48 am
So far the site is blocked and gives an 503 error - Error 54113. So it appears they have succeeded inspite of what you are writing.
4:54 am
Looks like any connection from outside of the US renders a 403 error. Is that another preventive measure by the website owner?
3:21 pm
Using a vpn from the USA, then the site becomes visible. So outide US traffic is blocked. A rather harshand crude method.