Attack on Labour shows need for DDoS defence but should alarm few

After being hit by two DDoS attacks in the space of 24 hours, many commentators are convinced the UK’s Labour Party is the victim of foreign interference in the General Election campaign. It probably isn’t

Oscar Wilde never wrote, “To be the victim of one distributed denial of service (DDoS) attack may be regarded as a misfortune, to be the victim of two inside 24 hours looks like carelessness”, but had Wilde been a not-especially well informed modern-day commentator instead of a 19th century playwright, he might well have done.

On the morning of 12 November, it emerged that with a month to go until the General Election, the UK’s Labour Party had been the victim of a DDoS attack against its systems, which according to its spokespeople was swiftly repelled thanks to “robust security” measures. But this was not the end of the matter. Just a few hours later, its systems and websites came under fire once again, and the renewed assault was once again beaten back.

To be subject to two such attacks in the space of 24 hours is indeed unfortunate, but to read some of the commentary, one might be forgiven for thinking the sky was falling in.

Although described by Labour as a “large-scale and sophisticated” attack, it is important to remember that, in general, DDoS attacks are anything but sophisticated and are rarely large in scale. DDoS attacks can be cheaply and easily orchestrated – they are often sold as-a-service for as little as €5.00 – and while they can be used to mask other attempts to breach a target’s systems, there is no indication that this was the case, yet.

It is even possible to cause an accidental DDoS attack, as happened earlier this year when hundreds of thousands of people crashed a UK government website as they tried to sign a petition to revoke Article 50 and cancel Brexit.

In this case, however, it is just as likely – in fact, probably more likely – that the attacks were carried out by one or two people with a botnet, than on the personal orders of Vladimir Putin, as many have rushed to claim.

Indeed, according to the National Cyber Security Centre (NCSC), the incident did not warrant classification as a major incident, in part because Cloudflare, the hosting company upon which the Labour Party relies, claims that its network capacity is 15 times greater than that of the biggest DDoS attack ever recorded, and in this instance, it seems to have proved its worth.

“If this is a sign of things to come in this election, I feel very nervous about it all – a cyber attack against a political party in an election is suspicious and something one is very worried about”
Labour leader Jeremy Corbyn

Preliminary post-mortems suggest that no data has been exfiltrated from Labour’s systems, and the election campaign continues as normal.

However, coming ahead of a controversial General Election held during one of the most febrile political climates in British history, with political division across the country stark and intractable, even if the Labour Party was not targeted by a state actor, there is still cause for concern that it was targeted at all.

“If this is a sign of things to come in this election, I feel very nervous about it all, because a cyber attack against a political party in an election is suspicious and something one is very worried about,” said Labour leader Jeremy Corbyn, who compared the DDoS attack to the 2017 WannaCry ransomware campaign, which claimed many NHS organisations as collateral damage.

“We do need far better defensive arrangements against cyber attacks made against us,” he added.

Political interference

Although attribution to state-level threat actors is difficult and often unwise, given the origins of interference in the 2016 US presidential election, and evidence pointing to similar involvement in wrongdoing by Leave.EU during the Brexit referendum campaign, it is understandable that fingers might be pointed, and obvious at whom.

Anthony Chadd, global senior vice-president at Neustar, noted that the attacks on Labour appeared to have originated from IP addresses located in Brazil and, crucially, Russia, although he stressed this was not necessarily an indication of attribution.

“It was reportedly not state-sponsored, and yet it serves as an important reminder to public sector leaders and security teams about the sheer importance of always-on cyber defences, especially in the current heightened political landscape,” said Chadd. 

The chief security officer of Cybereason, Sam Curry, said DDoS attacks are notoriously difficult to attribute to particular actors or players, such as rogue hackers, a disgruntled hacktivist group, or a nation state group. 

“As we head into Brexit, the UK General Election on December 12 and the 2020 US Presidential elections, this is a reminder that we should all become more resilient,” he said. “While it is early to speculate on this particular attack being a test of the network security capabilities of the Labour Party, based on previous misinformation campaigns targeting elections, expect additional threats to surface and the Labour Party to be tested again in the future.”

Nominet’s cyber security vice-president, Stuart Reed, said the attack was really no surprise given the convergence of political life across the physical and virtual worlds in the past decade. But, he added, a political cyber attack had potentially severe consequences, not least because it could sway public opinion.

“This is the first stone to be thrown in the cyber security space for this election, but it won’t be the last. The political environment is now inseparably intertwined with the cyber world and the consequences of any major attack could go down in history”
Stuart Reed, Nominet

“How the public view the attacked and the attacker will give them an impression of their digital competency and cyber maturity,” he said. “While the Labour Party seems to have defended against this attack, it will be interesting to see if others can do the same.

“This is the first stone to be thrown in the cyber security space for this election, but it won’t be the last. As we’ve seen in examples across the world, the political environment is now inseparably intertwined with the cyber world and the consequences of any major attack could go down in history.”

SonicWall EMEA vice-president Terry Greer-King said the failed attack underscored the fact that political attacks are now part of the day-to-day business plan for cyber criminals. “Breaching a political organisation for the purpose of compromising personal information, or even blackmail, tampers with the political fabric of a nation and potentially tampers with democratic processes,” he said.

“[This] attack raises important questions around the upcoming election. Any vulnerabilities within political parties will be ruthlessly exploited, hindering and possibly manipulating their information and systems.

“Today’s trustworthy security solutions should empower government agencies and political parties, like Labour in this instance, to consistently meet cyber security safeguarding requirements and procedures, and implement layered security solutions to block attackers every step of the way,” said Greer-King.

Attribution unknown

Whether or not the attack was carried out by well-paid agents in a Russian lab, or a British teenager who loves code but hates Corbyn, the truth is that it will be hard to ever determine the source.

“It’s almost impossible. The whole point is that the attack is distributed, so working out who is controlling them all is very difficult,” said Kieran Roberts, head of penetration testing at Bulletproof.

Dan Pitman, principal security architect at Alert Logic, said a botnet was effectively a large set of drones that are not necessarily connected to the attacker. “Due to this, tracking down the actual culprit is difficult, unless they decide to boast about it or make themselves known within the hacking community,” he said. “Considering the attack fundamentally failed to cause significant disruption, this seems unlikely.”

Insider threat: A more productive attack

Darktrace co-founder Emily Orton said that all political parties would be batting away small-scale attempts to breach their systems daily. “Some attacks are more successful than others, some are advanced and others less so. A DDoS attack is not particularly sophisticated and relatively easy to mitigate,” she said.

However, had an organised actor wanted to aggressively target Labour and its peers, they would have been better off getting someone on the inside, according to Orton.

“As political campaigns are run increasingly within a digital context, attackers might aim to do damage in a number of ways, whether by accessing data on voters or campaign strategy that would deliver a competitive advantage to the adversary, by opportunistically digging for information that could be reputationally damaging to prominent individuals, or by disrupting the organisation so as to slow productivity,” she said.

“In this new era of deepfakes and increasingly sophisticated hackers, the government, political parties, the media and campaign groups must all be on the leading edge of innovation to protect targeted data and minimise the impact of any attempts to disrupt their activities,” added Orton.

Shore up DDoS protection

Naturally, there are lessons for everybody in Labour’s experience, as Daisy Communications CIO Tariq Saied explained.

Saied said that while it was true that DDoS attacks are not as sophisticated as many other threats, they continue to happen daily – with most being unreported in the media – and deserve to be taken seriously.

“Fortunately, Labour had procedures in place to handle the attack because the party could’ve experienced severe consequences, such as a loss of confidential data, which could have damaged their campaign,” said Saied.

“DDoS protection doesn’t have to be costly, so this attack should serve as a wake-up call to organisations to ensure they have the right infrastructure in place to deal with any threats.”

“DDoS protection doesn’t have to be costly, so this attack should serve as a wake-up call to organisations to ensure they have the right infrastructure in place to deal with any threats”
Tariq Saied, Daisy Communications

EfficientIP’s vice-president of business development, Ronan David, said: “While this mainly impacted on IT systems’ efficiency, DDoS attacks can be significantly disruptive, as shown recently by the city of Johannesburg and Amazon Web Services both being crippled by the same tactic. As such, detection and mitigation of sophisticated attacks requires continuous vigilance and purpose-built DNS security, otherwise critical functions of essential services could cease to function without warning.”

Neustar’s Chadd added: “Increasingly, hackers are moving away from large-scale DDoS attacks to smaller, hyper-targeted ones that fly under the radar of an organisation’s defences. Crucially, to detect and mitigate against DDoS attacks of all sizes, protection needs to span a variety of areas, from the perimeter to websites and applications.

“As demonstrated by this case, having a robust web security strategy and best practices in place from the beginning is vital, particularly as hackers become more sophisticated and constantly innovate to cause maximum pain.”

Read more about DDoS attacks

Read more on Hackers and cybercrime prevention