Skip to content
Naked Security Naked Security

DDoS attack on US Health agency part of coordinated campaign

It coincided with a disinformation campaign carried out via SMS, email and social media claiming that national quarantine was imminent.

Just because a website offers critical public information about the COVID-19 virus pandemic doesn’t mean Distributed Denial of Service (DDoS) attackers won’t be out to get it.
It’s a point underscored by the news that on Sunday cybercriminals attempted to disrupt the US Department of Health and Human Services (HHS) website using an unidentified flood of DDoS traffic.
The HHS site is one of the first ports of call for US citizens looking for a range of health information, including HHS announcements and links to COVID-19 updates from the Centers for Disease Control and Prevention (CDC).
It seems attackers – later described by officials as a “foreign actor” – twigged its importance too.
According to a Bloomberg report, the attack slowed the site but didn’t cause it to go offline. DDoS attacks come in different sizes and types and it’s not been revealed which methods were used beyond the fact the attacks lasted for hours.
HHS spokesperson Caitlin Oakley told Bloomberg:

On Sunday, we became aware of a significant increase in activity on HHS cyber infrastructure and are fully operational as we actively investigate the matter.

These days, DDoS attacks are not the potent weapon they once were, primarily because large websites are protected by a newer generation of defences trained on a number of large attacks, hijacking a widening range of protocols.
It’s all relative of course, but downplaying it might be to miss the point because this attack was unusual in another way – officials said it coincided with a disinformation campaign carried out via SMS, email and social media that reportedly claimed that a national quarantine of the US was imminent. Again, few details of this campaign have been released and news of it only emerged when the National Security Council (NSC) tweeted its refutation:

This sort of coordination is something commercial cyberattacks would be unlikely to bother with, hence the claim that a nation-state was behind it.

The purpose, then, might have been to spread a rumour that citizens visiting the HHS site would not have been able to confirm thanks to the DDoS attack. That’s the ultimate purpose – spreading confusion and a mistrust of government.
To emphasise how seriously it was taking the attack, the US Government source told Bloomberg:

Secretary of State Michael Pompeo and other Trump administration officials are aware of the incident.

This reading is impossible to confirm, of course, but what matters on this occasion is that the attacks were detected and were not left unchallenged.
Far from deterring cybercriminals, clear major events such as a global pandemic act to enhance the effect of attacks by disrupting services in ways people are more likely to notice.
Of course, cyberattacks against health-related sites happen all the time but few people beyond those immediately affected pay them much heed. If Sunday’s DDoS attack on the HHS is only the start, COVID-19 might yet change this indifference.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.


My money’s on a Chinese government/military actor, in vengeful response to comments about the “Chinese coronavirus”.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!