Unprecedented Rise in DDoS Attacks Targeting Russian Financial Sector
Analysts at Qrator Labs have reported an unprecedented surge in the number of DDoS attacks on Russia’s financial market. According to their findings, these attacks are being carried out using a new botnet called Mēris, and over the past weekend, the number of attacks more than tripled.
Recently, experts from Yandex and Qrator Labs provided a detailed overview of this botnet. Mēris is responsible for some of the most powerful DDoS attacks in recent times, with peak volumes reaching 17.2 and 21.8 million requests per second—a new record. For example, Mēris has recently targeted Yandex, a Cloudflare client, and was behind DDoS attacks in New Zealand that disrupted internet access, banking services, postal operations, and more.
The botnet was named Mēris, which means “plague” in Latvian, as it is believed to mainly consist of devices from the Latvian company Mikrotik.
Focus Shifts to Financial Institutions
Researchers note that in August and September 2021, there has been a general increase in DDoS attacks across various sectors, from small businesses to major corporations. Since early September 2021, attackers have focused their efforts on the Russian financial sector. The number of DDoS attacks on banking organizations continues to grow, with attackers increasing both the intensity and complexity of their assaults using the power of Mēris.
The peak of these attacks occurred on September 11, when a series of DDoS attacks targeted leading banks and payment systems. Researchers recorded three waves of attacks, with maximum speeds reaching 212 Gbps and tens of millions of requests per second.
Application Layer Attacks and Security Challenges
One notable feature of these attacks is that they occur at the application layer (Layer 7), making the traffic appear similar to that of regular users. These attacks use encrypted HTTPS traffic, which requires significant resources and computing power to filter, as cryptographic processing is added to the handling of requests.
The Russian financial market faces unique information security challenges that complicate filtering such attacks. Banks are not allowed to disclose financial secrets to third parties, so their traffic cannot be decrypted without risking license revocation. As a result, banks cannot provide encryption keys to their DDoS protection service providers, which goes against security policies. This makes Mēris attacks on the banking industry particularly difficult to detect and neutralize.
Expert Commentary and Recommendations
“Usually, we observe no more than 90 significant DDoS incidents per week, but on September 11, there were over 300,” said Alexander Lyamin, founder and CEO of Qrator Labs. “Mēris is not losing momentum: attacks using it continue and are phenomenal in scale. Last weekend, the banking sector was the main target, but this does not mean that other industries are safe. With the high business season starting in Russia, companies of all sizes should proactively address protection. If your anti-DDoS system can automatically process all HTTPS traffic without exposing encryption keys, it will help withstand any attacks without service disruptions.”