A distributed denial of service (DDoS) attack against the websites of Finland’s Ministry of Foreign Affairs and Ministry of Defence was the work of a recently discovered botnet dubbed Zhadnost, and was likely orchestrated by Russian or pro-Russian actors, according to SecurityScorecard (SSC) threat researchers.
The cyber attack took place on Friday 8 April, at the same time as Ukrainain president Volodymyr Zelensky was delivering a virtual address to members of the Finnish parliament, and mere hours after an alleged violation of Finnish airspace by a Russian Ilyushin IL-96-300 aircraft – it is unknown whether it was a military plane, although the Russian government is known to use this model as such.
SSC’s analysts found that the cyber attack was sustained over a four-hour period and was launched from more than 350 unique IP addresses from all over the world, but predominantly by bots located in Bangladesh and Africa. The majority of them, 82%, were MikroTik routers – MikroTik is a Latvia-based manufacturer of routing and firewall hardware with a focus on emerging markets – with the rest a mixture of devices running Apache, Squid Proxy and Caddy Server.
SSC’s Ryan Slaney said MikroTik routers unfortunately contain a “bevy of vulnerabilities” that make its installed base a particularly useful tool for threat actors. There are thought to be about 875,000 units deployed, which potentially represents a “near infinite number” of bots, he said.
“The makeup of these bots is nearly identical to that of the Zhadnost botnet, which was responsible for three separate DDoS attacks against Ukrainian government and financial websites before and shortly after the Russian invasion of Ukraine,” wrote Slaney in a disclosure notice.
“The Finland attack is identical to the first Ukraine attack, which was conducted on 15 February. Both attacks consisted of HTTPS flooding and relied on MikroTik, Squid Proxy and Apache devices to conduct the attack.
“With the addition of the more than 350 bots we identified in this campaign, SSC is now aware of nearly 3,350 bots that make up the Zhadnost botnet.”
One side-effect of Russian president Vladimir Putin’s war on Ukraine has been to solidify the western Nato alliance and drive previously neutral countries, including Finland and Sweden, towards accelerated membership of the alliance. Keeping both these countries out of Nato has long been a goal of Russia’s foreign policy.
SSC believes the cyber attack to have been motivated by Finland’s pursuit of Nato membership, and assesses with moderate confidence that it was the work of a Russia-linked actor, although it refrained from precise attribution.
The attack had little lasting impact, and both websites were quickly restored. SSC believes the operator of the botnet was likely to have been aware of this, and intended the action as more of a flexing of muscles rather than an attempt to cause lasting damage.
Nevertheless Slaney suggested that the DDoS attack on the Finnish government could herald further actions depending on how Finland’s proposed accession to Nato pans out. He said: “Based on prior history of Russian attacks, the next play in the Russian cyber threat actor playbook would be the deployment of wiper-style attacks, possibly against critical infrastructure and government targets.”
SSC is making available IoCs associated with the Zhadnost botnet on request – more details are available at its blog.