Daily Newsletter

27 February 2024

Daily Newsletter

27 February 2024

Q&A: Why have cyberattacks in Poland spiked since Donald Tusk’s election?

Threat intelligence expert Richard Hummel dissects why cyberattacks in Poland have increased drastically since Tusk was elected.

Alex Blair February 22 2024

Worldwide cybercrime costs are estimated to reach $10.5trn annually by 2025, with both companies and governments bearing the brunt of cyberattacks by malicious actors.

As a threat intelligence lead for data security firm NetScout, Richard Hummel is seasoned in analysis of malware, intrusion detection and threat migration. His sixteen-plus years’ experience in the cybersecurity sector has seen Hummel encounter all types of threat.

Recent attention has centred on the rise in distributed denial-of-service (DDoS) attacks, which “attempt to overwhelm network connections to make them unavailable” rather than intruding into the network itself, according to Hummel.

Speaking to Army Technology, Hummel explains the form of and forces behind the drastic surge in DDoS activity in Poland since Prime Minister Donald Tusk took office in December.

What is the current political and cybersecurity landscape in Poland?

Richard Hummel: Changes in political leadership can cause disruptions in many areas. One notable area is in cyberspace, where DDoS attacks often spike when a new head of government is elected. This increase in attack activity often results from hacktivists and other threat actors opposing the viewpoints of newly elected official and wanting to take action.

There has been a significant surge in DDoS attack activity in Poland since the new Prime Minister, Donald Tusk, was sworn in on 13 December 2023. Attack volume began to increase around Christmas and has continued to remain elevated to this day, spiking on 14 January with more than 5,000 total attacks. This surge in attacks, fuelled by the new government’s support of Ukraine, resulted in a massive four times increase in DDoS attack volume.

The most notable group targeting Poland is NoName057. The pro-Russian, highly prolific hacktivist group has targeted several types of websites, including government administration, transportation and logistics, finance and air transport.

This wave of DDoS attacks targeting Poland will raise alarm bells around the world, given the series of leadership elections taking place this upcoming year. As such, governments, service providers, and enterprises, as well as society at large, should be prepared for these attacks.

Why have cyberattacks increased since Tusk gained office?

DDoS attacks often spike with a change of the guard. These spikes often result from hacktivist and other groups opposing the viewpoints of newly elected officials. Some notable groups that do this include Killnet, Anonymous Sudan, and NoName057, who often target countries that are perceived as ‘anti-Muslim’ or show support and solidarity with Ukraine.

Groups like NoName057 will continue to wage a political and religious war against any nation that stands in the way of their ideals and goals. NoName057 is also strongly pro-Russian, targeting Tusk for reversing his predecessor Mateusz Morawiecki’s decision to halt arms exports to Ukraine.

What form have cyberattacks against the Polish government and other institutions taken?

A large portion of the attacks include Botnet-driven attacks. These can take several forms including http/https application-layer attacks, which is a staple of Killnet and NoName057. The latter of these two uses code called DDoSia often hosted on public hosting infrastructure.

These bots can also launch any number of volumetric attacks and perform network intrusion activity like brute-forcing, scanning, and exploitation. In conjunction to the botnet attacks, there is a large amount of Reflection/Amplification attack traffic. These attacks are often easy, cheap, and readily accessible via booter and stresser services in the Underground internet.

Given the political views of the current administration in Poland, there are likely a lot of hacktivists and opportunists taking up digital arms with DDoS leveraging these underground services.

Are the perpetrators state actors, or independent hacktivist groups?

We often classify them as arms-length state actors. What we mean by that is they often look like state actors, target those opposed to specific nations, and seem to have state backing, but are in fact criminal groups.

We have no doubt that many of them take cues from, and perhaps even targeting from state actors, but we have yet to make a definitive connection that ties them to funding received directly from government entities or direct operational control.

Uncover your next opportunity with expert reports

Steer your business strategy with key data and insights from our latest market research reports and company profiles. Not ready to buy? Start small by downloading a sample report first.

Newsletters by sectors

close

Sign up to the newsletter: In Brief

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Thank you for subscribing

View all newsletters from across the GlobalData Media network.

close