DDoS attacks on UK financial sector surged during Ukraine war

The UK’s Financial Conduct Authority (FCA) has revealed evidence of a dramatic and ongoing surge in the number of distributed denial of service (DDoS) attacks against the financial sector, with a quarter of the incidents notified in the first six months of this year involving DDoS, compared to 4% in 2021.

The data was revealed via a freedom of information (FoI) request lodged by breach and attack simulation (BAS) specialist Picus Security, which said the data may indicate the financial services industry is being targeted by nation-state attackers and hacktivists linked to Russia’s ongoing war on Ukraine – which has driven similar surges against operators of critical national infrastructure (CNI) and government bodies, particularly in Nato and Nato-aligned countries in eastern Europe.

Given the enormous influence of British banks and financing in global affairs, and London’s pre-war status as a money-laundering hub for Russian oligarchs, it becomes easy to see why the financial sector might be targeted.

“DDoS attacks are a concern for financial institutions, with their ability to disrupt operations and even bring them down entirely,” said Suleyman Ozarslan, co-founder of Picus and vice-president of Picus Labs.

“UK financial institutions are in the crossfire of the ongoing war between Russia and Ukraine and have become a direct target for nation-state attackers and hacktivists seeking to disrupt Ukraine’s allies.

This said, the observed rise in DDoS attacks also coincides with an observed increase in DDoS-for-hire websites, and ransomware operators using DDoS as an additional tactic to pressurise victims into paying.

Many of these DDoS attacks seem also to have been of the more sophisticated, carpet-bombing type, a popular method (particularly among nation-state actors). In such attacks, multiple IP addresses at the target are bombarded at the same time with a smaller amount of traffic per host.

“As a result, they can be extremely difficult to mitigate,” said Ozarslan. “To reduce the risks, businesses must be able to scrutinise large traffic volumes over time and respond swiftly to anomalies that threaten network availability.”

Picus said that up to now, such attacks have mainly targeted internet service providers (ISPs) and CNI operators, but that the finance sector was now also clearly a target.

All told, the FCA said it received 55 reports of “material” cyber incidents in the first half of 2022, down 25% from 73 compared to the same period in 21 – approximately 35, or 64% of these, were due to cyber attacks.

Over the same period, it also revealed that the number of cyber incidents involving malware and phishing were down 75% and 50% respectively, and the number of incidents involving ransomware were down 63%.

“While it’s encouraging that financial firms reported fewer cyber incidents in the first half of 2022 than they did during the equivalent period in 2021, there is no time for complacency,” said Ozarslan.

“As threats evolve, financial institutions must continue to proactively harden their defences. This includes validating that security controls and processes provide protection against the latest risks.”

The FCA holds responsibility for regulating over 50,000 financial services firms, all of which must report any material cyber incidents to it immediately. Such incidents are defined as one that results in significant loss of data, or availability or control of IT systems; affects a large number of victims; or results in unauthorised access to, or malicious software present on, its information and communications systems.