Between 20th and 24th January 2025, the town of Davos-Klosters, Switzerland, hosted the annual World Economic Forum [WEF]. This event drew global political and business leaders, as well as media attention. However, it also became a target for cyber attacks. The NETSCOUT ASERT team, specializing in cybersecurity, observed a significant increase in Distributed Denial of Service [DDoS] attacks before and during key speeches.
Timeline of DDoS Attacks
During the World Economic Forum event, more than 1,400 DDoS attacks of varying sizes were recorded. Compared to December, attacks nearly doubled during the WEF period. Here’s a breakdown of key attack trends:
- 19th January: A major Swiss service provider was hit with high-bandwidth attacks, peaking at 426 Gbps. The method used was DNS reflection amplification, likely a test run for later attacks. No major disruptions were reported.
- 20th January: As the first official session started at 14:00 UTC, cyberattacks spiked to 24 Gbps at 15:20 UTC. Unlike the previous day, attackers used multiple amplification methods to cause disruption.
- 21st January: Attack numbers increased as a key speech approached. This time, hackers used TCP-based attacks along with DNS query floods. The change in methods suggested a strategic shift.
- 22nd January: Attack methods remained similar, but less bandwidth-intensive. Small TCP floods [RST, SYN, and SYN/ACK attacks] indicated an attempt to overwhelm networks with small data packets.
- 23rd -24th January: The fourth day saw a decrease in attack activity. However, on the final day, a significant surge of attacks occurred, extending beyond the WEF’s closing.
Political Motivations Behind the Attacks
High-profile events like WEF often become targets for politically motivated cyber groups. One such group, NoName057[16], known for supporting Russian interests, was linked to the attacks.
This group typically uses a DDoS botnet called DDoSia, which floods websites with HTTP traffic. However, during the WEF, they changed tactics, focusing on TCP-based attacks. This shift aligned with ASERT’s broader observations of attack patterns during the event.
Who Were the Targets at the World Economic Forum?
The DDoS attacks mainly targeted Swiss industries linked to critical infrastructure. Analysis of attack patterns revealed a focus on:
- Telecommunication providers
- Cloud service providers
- Other large service networks
Past incidents show that major international events often lead to increased cyberattacks, putting extra strain on internet service providers.
Lessons Learned
The rise in cyberattacks during global events highlights the need for strong cybersecurity defenses, particularly for critical service providers. The WEF attacks reinforce the importance of preparedness and resilience to prevent disruptions.
Cyber security teams must continue monitoring emerging threats and shifting tactics from adversaries to stay ahead of potential attacks.
