What’s In a Denial-of-Service Attack? This Week’s ‘Cyber Vandalism’ at US Airports Could Signal the Next Step In Russia’s War

Monday's attacks on U.S. airports, including Los Angeles International Airport (LAX), were—on the surface—a nuisance, but experts say they could signal trouble ahead.

Russian cybercrime gang Killnet claimed the attacks on more than a dozen American airport websites, including Hartsfield-Jackson Atlanta International Airport (ATL), and Chicago O'Hare International Airport (ORD) along with LAX. The group listed its targets on its Telegram channel. For a time, the Distributed Denial-of-Service (DDoS) attacks—in which websites are flooded with “junk” traffic, overwhelming servers—either slowed or took the airports’ public sites offline completely, according to the Los Angeles Times.

Still, Infosecurity Magazine reported that the attacks had “no direct impact on airport operations.”

An attack like this wasn’t exactly unexpected. Multiple federal agencies authored an April 2022 cybersecurity advisory warning that the February Russian invasion of Ukraine might “expose organizations both within and beyond the region to increased malicious cyber activity.” It mentioned DDoS attacks and named multiple known cybercrime gangs, including colorfully named groups such as Salty Spider, Fancy Bear, and Killnet, which took down Connecticut’s Bradley International Airport in March.

Infosecurity Magazine’s story also noted that early press coverage about the April advisory was criticized for raising alarms about what some security experts wrote off as essentially “kids” making digital mischief.

But denial-of-service attacks aren’t simply cyber vandalism, said Bryan Hornung, CEO and founder of Philadelphia-based Xact IT Solutions.

“We usually see three types of DDoS attacks,” he said, “One, where they create a nuisance to let you know what they are capable of. Two, where they use DDoS to mask a more severe type of attack. Three, where they hold the network traffic hostage and demand a ransom to stop the DDoS attack.”

“In these cases,” Hornung continued, “there are plenty of other ways to stop the attack, so cyber criminals do not typically succeed with extortion regarding DDoS.”

Cybersecurity firm Tanium’s Director of Security Research Melissa Bischoping agreed that the attacks should be taken seriously. “The concept of a denial of service may seem inconvenient and annoying,” she told dot.LA, “but DDoS attacks can be used to take critical systems—or revenue-generating systems—offline, impacting your organization’s bottom line.”

Bischoping and Hornung agreed that these types of attacks could be used for pure disruption and nothing more. Still, Hornung said that often “we see DDoS attacks happening to divert the attention of technical people, so a different, more severe attack can be deployed.”

“How they are used depends on the attacker’s skill level, motivation, and the level of access they have obtained in the environment,” said Bischoping.

Any time there’s a chance for “increased economic disruption, social unrest and political uncertainty, cyber attacks also tend to increase,” Bischoping added.

“This can be due to ‘hacktivism,’” she continued, “nation-state efforts, or criminal activity for economic gain.” In addition, she said we should expect “all future military conflicts to have some cyber element to them, including the current ones.” For that reason, she said, it’s crucial to remain vigilant.

Asked if Russian losses in Ukraine will likely lead to more cyber attacks, Hornung replied, “The cyber war will intensify regardless of what happens in Ukraine.”

He also wasn’t ready to dismiss DDoSing as the work of independent groups acting alone.

“No cyber criminal activity in Russia happens without approval from Moscow,” Hornung said.