The number of observed distributed denial-of-service (DDoS) attacks nearly trebled during the first six months of 2022, with tit-for-tat hits by threat actors aligned with Russia and Ukraine driving much of the activity, according to new proprietary data from Radware, which has just published its 2022 H1 Global threat analysis report.

In the report, Radware said Russia’s attack on Ukraine had had a significant impact on cyber crime and hacktivist or cyber vigilante activity, disrupting wider cyber efforts driven by national governments and introducing “extreme unpredictability”.

Radware said it saw both established and newly formed Russian and Ukrainian groups aiming to disrupt and create chaos by stealing and leaking information, defacing websites, and conducting denial-of-service attacks.

“The threat landscape saw a marked shift in the first half of 2022,” said Pascal Geenens, director of threat intelligence at Radware.

“As Russia invaded Ukraine, the cyber focus changed. It shifted from the consequences of the pandemic, including an increase in attack surfaces driven by work from home and the rise of underground crime syndicates, to a groundswell of DDoS activity launched by patriotic hacktivists and new legions of threat actors.”

But these attacks were not only linked to the war in Ukraine. Hacktivist groups were also active in targeting the build-up to the May 2022 Philippines presidential election, with opposition politicians, media websites – including that of news network CNN – and fact-checking resources also targeted by supporters of the then-president Rodrigo Duterte.

Meanwhile, the politically motivated group known as DragonForce Malaysia was active in conducting substantial attacks on targets linked to Israel in mid-April, as the country’s then prime minister Naftali Bennett, struggled to hold his government together. Then, in June, the same collective launched a series of attacks against Indian targets in response to controversial statements about the prophet Muhammad made by a Hindu politician.

“No organisation in the world is safe from cyber retaliation at this time,” said Geenens. “Online vigilantes and hacktivists could disrupt wider security efforts driven by nations and authorities. New legions of actors could introduce extreme unpredictability for intelligence services, creating a potential for spillover and wrongful attribution that could eventually lead to an escalation of the cyber conflict.”

All told, Radware said it mitigated 60% more attacks between January and June than it did in the entirety of 2021, with the number of blocked events per customer doubling every quarter. The average cumulative volume of blocked events per customer hit 3.39TB of network traffic – up 47% compared with the first six months of 2021.

However, the average DDoS attack size per individual incident dropped noticeably during the observed period, from 139Mbps in the fourth quarter of 2021 to 73Mbps in the first quarter of 2022, and 64.5Mbps in the second – although there were still some very high-volume incidents. One carpet-bombing attack mitigated by Radware represented a total volume of 2.9PB and lasted 36 hours, peaking at 1.5Tbps with a sustained attack rate of over 700GBps for over eight hours. This may have been one of the largest ever DDoS incidents.

A related and growing trend during the first six months of the year has been a growth in ransom denial-of-service (RDoS) attacks, which combine extortion demands – some from groups claiming to be established ransomware gangs – with denial-of-service attacks if the victim does not pay. One 2022 campaign by a group claiming to be REvil saw ransom notes and demands embedded within the attack payload.

Radware’s full report is available for download here. Besides the firm’s latest data on DDoS attacks, it also reports on other forms of web application attack and unsolicited network activity.