DDoS Attacks Report for Q1 2024: Middle East and Africa (MENA)
The year began with a bang. DDoS attacks increased by 183% compared to Q1 2023, and hackers bombarded both businesses and governments with sophisticated attacks. Let's break down the trends that shaped the MENA threat landscape in Q1 2024.
Introduction
Welcome to Q1 2024 DDoS threat report, MENA edition. This report covers DDoS attacks against StormWall’s clients in Q1 2024, covering the Middle East and Africa region, as observed through our traffic filtering network.
StormWall’s network, which processes up to 4500 Gbit/s at peak loads and has points of presence in Dubai, scrubs DDoS traffic for hundreds of businesses — from enterprises to local SMEs — all of this data gives us a unique insight into the state of DDoS threats
Q1 2024 Main Trends
- DDoS attacks in MENA increased by 183% year-on-year. The main drivers were the active expansion of companies into MENA markets, and the ongoing Israeli-Palestinian, which fuelled hacktivism.
- Israeli-Palestinian conflict escalated DDoS attacks on belligerents, when Iran launched a direct missile and drone attack against Israel, on April 13, 2024.
- The combination of ongoing armed conflict, and several MENA countries' political ties to Russia compounded to increase hacktivism, and government services bore the brunt, accounting for 28% of DDoS attacks in the region.
- The average number of botnet nodes in the MENA region quadrupled to 16,000, enabling attackers to launch more powerful DDoS attacks by increasing the number of infected devices under their control, known as horizontal scaling.
- Carpet bombing attacks, which target a wide range of IP addresses within a network, increased by 164% year-over-year — a trend tied to the fourfold increase in botnet capacity in MENA.
To learn more about how these trends affected the DDoS threat landscape — continue reading.
Malicious Traffic Up 183% In One Year
The volume of DDoS traffic in MENA has grown by 183% in just one year, and there are several reasons for this: the active expansion of companies into MENA markets creates new targets for hackers; the Israeli-Palestinian conflict continues to fuel hacktivism.
On April 13, 2024, Iran launched a direct missile and drone attack on Israeli territory. This was the first direct attack in a long-running proxy conflict, escalating the DDoS threat in Iran in particular.
Hackitivists Hit Government Services Hard
Ongoing armed conflict, and several MENA countries' political ties to Russia compounded to increase hacktivism. Hacktivists are well organized cybercriminals who don’t pursue monetary gain. Instead, their actions focus on attracting public attention to a political cause by launching large-scale DDoS attacks and defacing websites. Often these attackers target government services, and we see this in proportion to the most targeted industries — 28% of DDoS attacks in the region targeted the government vertical.
DDoS Attacks in MENA Became More Sophisticated
MENA hackers are arming themselves with new capabilities. We have seen this in two main ways.
Firstly, we're tracking several botnets operating in the MENA region, and the average number of botnet nodes increased fourfold to 16,000.
Botnets are networks of infected devices controlled by an attacker through a central server. The hacker can issue a command to each node in the network to send network requests to a target URL, which strains the network's capacity and causes system downtime.
There are two main ways that botnets can grow in power: by adding more processing power to each node, or by increasing the number of devices. Botnets in the MENA region are rapidly scaling the second way — horizontally. While the average number of botnet nodes was 4,000 a year ago, it has now reached 16,000.
Secondly, carpet bombing attacks increased 264% year over year.
Most DDoS attacks focus on a single IP address, but a carpet bombing attack targets a wide range of IP addresses within a network, saturating the entire infrastructure with a flood of traffic. This type of attack is usually harder to mitigate. Just like real carpet bombing, it's indiscriminate and causes massive collateral damage; it hits multiple systems and makes it harder to tell malicious traffic from legitimate.
Carpet bombing attacks often require large botnets, and we can see how the fourfold increase in botnet capacity in MENA is related to the popularity of this attack method.
Attack Share by Vertical
In the table we can see how all the trends mentioned above affect the distribution of DDoS attacks across verticals:
And the table below shows the MENA verticals where we saw the highest year-over-year growth in DDoS attacks in Q1 2024:
Here are the main takeaways:
- In 2023, government services accounted for 34% of the total DDoS attacks in the MENA region, meaning that government services were hit the hardest of all verticals.
- In second place by attack volume (18% share) is the energy sector, and that's up from 2% in 2023 as a whole — hackers began specifically targeting this vertical in Q1 2024.
- Telecommunications (12% share) was the most targeted vertical throughout 2023, but in the first quarter of 2024, hackers attacked more companies in the IT industry (14% share).
- We're seeing very pronounced year-over-year growth in two verticals: attacks against government services are up 218% from Q1 2023, and attacks against the energy sector are up 206%.
Let’s break down the top 5 most attacked verticals in more detail:
1. Government Services
This is the vertical where we saw both the biggest share of attacks (34%) and the highest year-over-year increase (218%).
Why was the government targeted to such an extent? Two major factors compounded; firstly, Iran's direct attack on Israel escalated the situation, and, secondly, the fact that many MENA countries have political or economic ties to Russia draws the attention of hackers and state-sponsored threat actors. who targeted government websites and portals. Taken together, this created sort of a perfect storm of events and exposed government services in the MENA region to hacktivism.
2. Energy Sector
The energy sector, the second most attacked vertical, was slammed by 18% of DDoS traffic in the MENA region in Q1 2024. This is a 206% increase from Q1 2023.
Energy infrastructure is critical on a national level, and hackers tend to focus on it in the midst of geopolitical conflicts. We've seen this with malware like Stuxnet in 2010 and Industroyer in 2016, but DDoS is also a common tool used against energy infrastructure; that’s because DDoS attacks threaten business continuity, something that is of great consequence in this vertical.
Energy grids have several points of vulnerability to DDoS: hackers target supervisory control and data acquisition (SCADA) systems to disrupt operations and energy management systems (EMS), which are networked smart meters that communicate with control centers over the Internet.
3. IT
In the IT sector, we witnessed a 14% share of DDoS attacks and a 114% growth year-over-year.
The majority of these attacks targeted the Gulf region, with a particular focus on the United Arab Emirates (UAE), where StormWall operates a presence in Dubai. The UAE is home to approximately 27,000 startups, including 9 unicorns, making them potentially lucrative targets for cybercriminals.
At the same time, many Russian IT companies are relocating or establishing subsidiaries in the UAE to circumvent economic sanctions and tap into the MENA market. Hackers are closely following these moves.
Collectively, these trends have resulted in IT companies in the MENA region facing both financially motivated and politically driven cyberattacks.
4. Telecommunications
In the telecom vertical, we saw 12% of the attacks and a growth of 182% compared to the first quarter of the previous year.
Attacks against telecom companies have a wide impact zone. Take down the carrier's network and all connected devices go down with it. That's why telecoms offer attackers the opportunity to disrupt communications for political purposes. We also continue to see incidents in Israel, where APTs are using DDoS attacks in cyberwarfare to disrupt communications.
5. Financial and payment services
We saw 9% of DDoS attacks and a 137% increase year-over-year in the financial and payment services vertical.
Banking, financial and payment services were heavily targeted in Palestine and Israel. Much of the traffic hitting Israel came from Indonesia, India and Bangladesh. Attacks were launched by organized groups of hactivists and APTs from countries supporting Palestine in the ongoing conflict.
MENA DDoS Attacks: Breakdown by Country
Let's break down how DDoS attacks in MENA were distributed by country in Q3 2023:
The data reveals that countries with developed economies are the most vulnerable to cyber attacks. The UAE tops the list, with 21% of recorded attacks, followed by Saudi Arabia at 18%. Interestingly, the trend shifts as we move down the list, with Iran taking third place at 14% and Israel in fourth at 12%. This deviation can be attributed to a high number of politically motivated attacks.
In Iran, the surge in attacks coincided with parliamentary election campaigns. Similarly, Israel has been targeted by hacktivists and Advanced Persistent Threat (APT) groups due to the ongoing Israel-Palestine conflict, which began in October 2024. The prominent positions of these countries in the report underscore the fact that a significant portion of malicious traffic is driven by political and ideological motives rather than financial gain.
In line with this trend, it's worth noting that Palestine has surpassed Jordan in the number of attacks, with 5% and 4% respectively.
Which Protocols Were Most Affected
The chart below shows MENA DDoS attack distribution by protocol in Q1 2024.
One of the biggest changes we've seen this quarter is the increase in attacks over the DNS protocol. DNS reflection and amplification attacks are capable of generating enormous amounts of malicious traffic that is directed to the victim's server. While last year these types of attacks averaged only about 3%, this quarter that number jumped to 5%.
Wrapping up
In Q1 2024, the DDoS threat landscape in the Middle East and North Africa region was heavily influenced by geopolitical events and the expansion of businesses into these markets.
The ongoing Israeli-Palestinian conflict, and ties to Russia of many MENA countries fueled a surge in hacktivism. As a result, government services and critical infrastructure were hit the hardest. Here are the key takeaways:
- DDoS attacks in MENA increased by 183% compared to Q1 2023.
- Government services accounted for 34% of attacks, a 218% year-over-year increase.
- The energy sector saw a 206% increase in attacks, with 18% of the total share.
- Botnet capacity in MENA quadrupled to 16,000 nodes on average.
- Carpet bombing attacks rose by 264% due to increased botnet power.
- The UAE (21%), Saudi Arabia (18%), and Iran (14%) were the most targeted countries.
As we move forward, by understanding the evolving threat landscape and implementing robust DDoS mitigation strategies, businesses can protect themselves from the growing risks posed by politically and financially motivated attackers.