Zhadnost DDoS botnet deployed against Finland
A distributed denial of service (DDoS) attack against the websites of the Finnish Ministry of Foreign Affairs and Defense was the work of a recently discovered botnet called Zhadnost and was likely orchestrated by Russian or pro-Russian actors, according to SecurityScorecard (SSC) threat researchers.
The cyberattack took place on Friday, April 8, at the same time as Ukrainian President Volodymyr Zelensky was delivering a virtual address to members of the Finnish Parliament, and just hours after an alleged violation of Finnish airspace by a Russian Ilyushin IL-96 -300 aircraft – it is not known if this was a military aircraft, although it is known that the Russian government uses this model as such.
SSC analysts noted that the cyberattack lasted for four hours and was launched from more than 350 unique IP addresses from around the world, but mostly from bots in Bangladesh and Africa. The majority of them, 82%, were MikroTik routers – MikroTik is a Latvia-based manufacturer of routing and firewall hardware with a focus on emerging markets – the rest were a mix of Apache, Squid Proxy and Caddy Server devices.
SSC’s Ryan Slaney said that unfortunately, MikroTik routers contain a “host of vulnerabilities” that make their installed base a particularly useful tool for attackers. About 875,000 units are thought to be in service, potentially representing a “nearly infinite number” of bots, he said.
“The architecture of these bots is almost identical to that of the Zhadnost botnet, which was responsible for three separate DDoS attacks on Ukrainian government and financial websites before and shortly after the Russian invasion of Ukraine,” Slaney wrote in a disclosure note.
“The attack on Finland is identical to the first attack on Ukraine carried out on February 15. Both attacks consisted of HTTPS flooding and relied on MikroTik, Squid Proxy, and Apache devices to carry out the attack.
“With the more than 350 bots we identified in this campaign, SSC is now aware of nearly 3,350 bots that make up the Zhadnost botnet.”
A side effect of Russian President Vladimir Putin’s war on Ukraine has been to solidify the western NATO alliance and spur previously neutral countries, including Finland and Sweden, to accelerate membership of the alliance. Keeping these two countries out of NATO has long been a goal of Russian foreign policy.
The SSC believes the cyberattack was motivated by Finland’s bid for NATO membership and has moderate confidence that it was the work of a Russian-affiliated actor, although it does not make an exact attribution.
The attack had little lasting impact and both sites were quickly restored. SSC believes that the operator of the botnet was aware of this and intended the action as muscle flexing rather than an attempt to cause lasting damage.
Still, Slaney hinted that the DDoS attack on the Finnish government could herald further action depending on how Finland’s proposed NATO membership unfolds. He said: “Based on the history of Russian attacks, the next piece in the playbook of Russian cyber threat actors would be to deploy wiper-style attacks, potentially against critical infrastructure and government targets.”
SSC provides IoCs associated with the Zhadnost botnet upon request – more details are available on his blog.