Cyberattacks that knock internet platforms offline temporarily—a particular concern on Cyber Monday—are likely to spike this holiday season, but victims have few legal avenues to seek recovery, attorneys and industry professionals say.
Ransomware attacks that take control of victims’ systems garner more media attention, but distributed denial-of-service attacks are one of the most common cybersecurity incidents to disrupt a company’s business operations.
Cybercriminals use DDoS attacks to overwhelm targeted platforms with internet traffic from many devices. The objective varies depending on the perpetrator, but the most common goals are to extort money or cause chaos, attorneys say. The tactic recently received national attention when more than a dozen major US airports’ websites crashed at the hands of pro-Russian hackers. Los Angeles International Airport and O’Hare in Chicago were among those affected.
The threat posed by DDoS attacks is considered less than that of other cyberattacks, and the majority last less than an hour. But the disruptions they cause can pose a unique threat to e-commerce businesses and gaming companies during the holidays, when internet traffic to those industries spikes dramatically. The victims typically have fewer viable options for legal reprisal, attorneys say.
“During the holiday seasons, you see a number of things going on that for purposes of information security and operational security are not necessarily good,” said Michael Gold, the chair of Jeffer Mangels Butler & Mitchell LLP’s cybersecurity group.
“There’s very often shorthanded IT staffs, people tend to get distracted during the holidays, the volume of internet traffic” increases, Gold said. “And what that translates into for purposes of the threat actors is higher levels of volume, more transactions to interfere with.”
The number of global DDoS attacks that Microsoft mitigated last holiday season reached near-peak levels for the year, according to the company’s 2022 Digital Defense Report. The annual report also noted that 54% of the attacks Microsoft observed over the past year targeted entities in the US, where most of its customers are also based.
Perpetrators of DDoS attacks can range from unaffiliated individuals to state-linked hacktivists, said Doug Madory, the director of internet analysis for network monitoring platform Kentik.
Russia, for example, dealt destabilizing cyber blows to Ukraine’s financial services and government websites in February 2022 before it invaded the country, aiming to contribute to mass confusion. Russian-linked hackers have also increased cyberattacks directed at the US and its allies.
Hackers using the denial-of-service method typically employ a large number of compromised, low-security devices to bombard a network with traffic at a high enough volume to crash it, according to the US Cybersecurity and Infrastructure Security Agency. Such attacks are notoriously difficult to trace because they come from a far-flung network of hijacked devices known as a botnet, Madory said.
Crashing an organization’s online platform can disrupt its ability to conduct business with customers or prevent citizens from receiving crucial information, Madory said. Past DDoS attacks have impeded access to election office websites, and the 2016 Mirai botnet attack assault on the internet infrastructure provider Dyn Inc. resulted in cascading outages for Twitter, Reddit, Spotify, CNN, The New York Times, and many other popular platforms.
Possibly the most damaging consequences, though, could come if people were prevented from accessing their bank accounts due to a crashed network, said Lisa Sotto, who chairs Hunton Andrews Kurth’s privacy and cybersecurity practice.
The best practices businesses can employ to minimize their exposure to DDoS attacks are to proactively run attack simulations and contract a cybersecurity service that can intercept and redirect high volumes of internet traffic, according to industry professionals.
Sotto said that cybercriminals who targeted her clients with DDoS attacks often demanded a Bitcoin ransom to prevent additional, larger attacks from occurring. “They would say, ‘We’ve proved what we could do for a couple of hours, and if you pay us two Bitcoin, we won’t come back and do it worse,’” she said.
Aside from financial losses, a key concern surrounding DDoS attacks is their use as a distraction. A crash could be used to divert attention and resources to allow for a larger and more damaging cyberattack, such as stealing customer data or introducing malware to a network, Madory said. Use of that ploy appears to remain relatively small, though: Of the 8,456 DDoS incidents Verizon recorded in its 2022 Data Breach Investigations Report, only four were associated with a data breach.
Holiday Hacking Spike
While many DDoS attacks are politically fueled and aimed at social disruption, the variety that tends to dominate during the holiday season focuses on commercial businesses, Madory said.
Common targets during November and December include retail and gaming companies, according to Microsoft’s report.
Even relatively short outages could have big financial implications for e-commerce businesses.
The National Retail Federation projectedthis month that holiday sales in its category that includes online sales would total at least $262.8 billion in 2022, up from $238.9 billion last year, a figure that already reflected “extraordinary growth,” likely due to consumers turning to online shopping during the pandemic, according to NRF’s holiday season report.
Online retailers could begin to find spikes in denial-of-service attacks a problem outside of holiday season as well.
Microsoft charted a sustained spike in the volume of attacks it mitigated throughout August 2021 that surpassed its December figures. The deviation from the typical DDoS pattern of heightened activity may foreshadow a shift to a more year-round one, according to its report.
Suing those responsible for initiating a DDoS attack is possible, but rare and difficult, attorneys say.
“Similar to data breach and ransomware, you typically don’t see the lawsuit against the bad actor for various reasons: You don’t know who they are; you don’t know where they are,” said Robert Stines, a partner who practices in cybersecurity at Freeborn & Peters LLP.
Sports betting company
The company made legal headway after a federal judge in Massachusetts granted DraftKings’ request for emergency discovery, which it used to subpoena several internet service providers associated with IP addresses involved in the incident. The company voluntarily dismissed the lawsuit with no explanation four months after discovery was granted.
Such a legal strategy is viable, but fact-specific and uncommon, according to Gold of Jeffer Mangels Butler & Mitchell LLP. In fact, litigation is often not the most viable avenue for recovering from a DDoS attack, attorneys said. That also applies to lawsuits alleging a third party, such as a cybersecurity contractor, was to blame for the platform’s vulnerability.
“Sometimes there’s lots of bluster between companies where there’s at least an indication that one of the companies is responsible for not preventing the attack, but it’s unusual for a business to sue another business on cyber because these attacks are so ubiquitous,” Sotto of Hunton Andrews Kurth said.
Companies that have cyber insurance can attempt to recoup financial losses incurred from a DDoS attack if their policy includes a business interruption clause, Stines said.