Lapsus$ attacks: A lesson in cybersecurity and DDoS for SaaS platform

At a Glance

A new breed of criminal has emerged in hacker town and the most notorious amongst them, goes by the name Lapsus$. This gang uses DDoS and other threats to target some of the giants in the tech world – Microsoft, Samsung, Nvidia, and more recently, Okta. 

Last month, Lapsus$ targeted Vodafone Portugal, disrupting its 4G and 5G services, allegedly using DDoS or ransomware attacks. They even redirected a Brazilian car rental company’s (Localiza) website, to an adult media site just for fun.

But Lapsus$ isn’t the only villain in town. There are others as sinister as Lapsus$, if not more. In 2021, for the first time ever, three prolific DDoS extortion campaigns operated simultaneously. VoIP providers pounded with high-profile DDoS extortion or ransom DDoS (RDDoS) attacks from another hacking gang. REvil copycat, resulting in an estimated revenue loss of $9 to $12 million, while other hacker(s) like Lazarus Bear Armada (LBA) and Fancy Lazarus targeted organizations around the world.

So what are these DDoS attacks? How often do they occur? With even big companies like Microsoft and Nvidia being targeted, despite their multi-million dollar cybersecurity budget, should you be worried? We try to answer these questions in this article.

What is DDoS? 

Cyber-threats come in a variety of shapes and sizes and one of them is the DDoS attacks. The term DDoS is an acronym for ‘distributed denial of service’. A threat actor like Lapsus$ use resources from several remote locations to target and attack an organization’s online operations. This is known as a DDoS attack. 

DDoS attacks typically focus on creating attacks that change the defaults of network equipment and services like routers or caching services. To make them behave in an abnormal way and stop them from doing their intended tasks.

According to a recently released Threat Intelligence Report by NETSCOUT, around 9.7 million DDoS attacks happened in 2021. A 14% rise from pre-pandemic times in 2019.

NETSCOUT is a supplier of application performance management and networking products. One of its main products is Arbor, a DDoS protection solution. 

SaaS services are prone to DDoS attacks

The NETSCOUT report says that in 2021 DDoS attackers focused attention on targets that haven’t traditionally been in the crosshairs. Such as Voice over Internet Protocol (VoIP) providers (who reported an estimated $9 to $12 million in revenue loss). Also, software publishers (which includes SaaS companies), and computer manufacturing.

The report says that in the second half of 2021, the hardest hit were the software publishers which records 606% increase in attacks compared with the first half of 2021. 

Taking down a SaaS company is a reputation gain for some hacking organisations. They do it for exposure and gain hacker credibility so that it gives them clout in the hacking community. And of course, there involves monetary gain too in the form of ransoms.

About half of organizations incur losses between $1,000-$10,000 per minute spent down as a result of a DDoS attack. And with losses of up to $100,000 per minute,  you may be compelled to simply settle with your attacker after they ransom your service. 

SaaS companies are expected to keep their services available 24/7. Cloud hosts most of the critical applications. If the service goes down, you can expect to field angry emails and loss of revenue as customers pivot to competitors. When the reputation of the organization injures, customers will find another solution that hasn’t experienced outages. 

Most targeted sectors for DDoS attacks

According to NETSCOUT’s report, some of the most targeted sectors were the Wireless Telecommunications carriers; Data Processing, Hosting + Related Services; Wired Telecommunications Carriers; and Electronic Shopping + Mail-Order Houses.

Attackers also targeted selected industries which included software publishers (606% increase), insurance agencies and brokers (257% increase), computer manufacturers (162% increase). The educational places like colleges, universities, and professional schools (102% increase).

10 million DDoS attacks in 2021

The most shocking finding of the NETSCOUT report is that the adversaries launched more than 9.7 million DDoS attacks in 2021. Just 3% shy of the record-breaking 10 million attacks seen in 2020 and a whopping 14% more than seen pre-pandemic in 2019.

This shows that the pandemic induced online work culture increased the attacks in 2020. The slow shift back to office in 2021 resulted in the reduction of DDoS attacks last year. Just before Omicron was discovered, COVID-19 restrictions were reduced. People returned to work outdoors, which marked the beginning of the decline.  

Commenting on the report, Threat intelligence lead of NETSCOUT, Richard Hummel said, “While it may be tempting to look at the decrease in overall attacks as threat actors scaling back their efforts, we saw significantly higher activity compared to pre-pandemic levels. The reality is that attackers are constantly innovating and adapting new techniques, including the use of server-class botnets. DDoS-for-Hire services and increased used direct-path attacks that continually perpetuate the advancement of the threat landscape.”

Adversaries also turned their attention to direct-path (non-spoofed) DDoS attacks using botnets and TCP-based floods in the second half of 2021.This followed a decrease in DNS and CLDAP amplification, resulting in fewer attacks in most countries and regions.

However, APAC attacks increased by 7% as other regions subsided. Amid ongoing geopolitical tensions in China, Hong Kong, and Taiwan, the Asia-Pacific region saw the most significant increase in attacks year over year compared to other regions.

Most common attack Vectors

The NETSCOUT report further reveals that high-powered botnet armies and attackers have developed more sophisticated operational processes. With added new strategies, techniques, and approaches to their arsenals, rebalance the scales between volumetric and direct-path (non-spoofed) attacks.

One of the Key findings were the REvil copycat DDoS extortion attack campaigns which waged against several VOIP services providers. One of the VOIP service providers reported $9M-$12M in revenue loss due to DDoS attacks. 

Ransomware gangs including Avaddon, REvil, BlackCat, AvosLocker, and Suncrypt observed using DDoS to extort victims. The fastest DDoS attack increased by 107% year over year and the multi-vector attack against a target in Russia recorded 453 Mpps.

DDoS-for-Hire services have made attacks easy to launch. NETSCOUT examined 19 DDoS-for-Hire services and their capabilities that eliminate the technical requirements and cost of launching massive DDoS attacks. When combined, they offer more than 200 different attack types.


Despite the 3% drop in overall attack numbers in 2021 compared to the previous year, there’s no question that attackers haven’t halted their war against businesses and their customers. In fact, they are prepared to take it up a notch by sharpening their skills with new strategies and mastering techniques to ensure the bigger payday from nefarious extortion efforts. 

To it is critical that businesses too adapt at a rapid rate to keep up with the latest in tech to block DDoS attacks.

By blocking IP address spoofing, implementing best current practices, and leveraging intelligent DDoS mitigation solutions, it is possible to fully block or dramatically reduce the impact of DDoS attacks or any other attacks manufactured by adversaries.

Previous News Post
Next News Post
Most Popular