- Статьи
- Society
- Intelligence glitch: the largest bot attack on government agencies in the Russian Federation has been stopped
Intelligence glitch: the largest bot attack on government agencies in the Russian Federation has been stopped
A record attack on Russian government and public organizations, involving 4.6 million IP addresses, was recorded on May 16, the network security company Curator told Izvestia. Market participants have confirmed that a large number of automated DDoS attacks have been recorded since May 15. And if the attack on May 16 was repelled, then a new wave began on the 19th, which lasted at least two days — failures in the work of services were confirmed, in particular, by the Federal Tax Service. What is the problem with the vulnerability of government structures and how to repel such attacks is in the Izvestia article.
How did the botnet attack go?
The largest botnet attack on government agencies and public organizations in recent years has been neutralized in Russia. It occurred on May 16, the cybersecurity company Curator told Izvestia. 4.6 million IP addresses were blocked.
"For comparison, the largest DDoS botnet identified in 2023 consisted of 136 thousand devices, and the largest DDoS botnet discovered in 2024 consisted of 227 thousand devices," the company's press service explained.
They noted that the attack took place in several stages. At the first stage, the attackers used about 2 million devices. On the second, another 1.5 million were added to them, and on the third, the attackers increased the number of devices to 4.6 million.
"They probably used all the resources they had at their disposal," the company said. "Most of the devices involved in the botnet were from South and North America."
In particular, approximately 1.37 million IP addresses blocked during the attack (30% of the total botnet) were registered in Brazil, 555 thousand devices were from the USA, 362 thousand from Vietnam, 135 thousand from India and 127 thousand from Argentina.
"Earlier this year, we already encountered this botnet — then we blocked 1.33 million IP addresses. At the same time, we observed a more than threefold increase in the number of devices involved in the attack, which may indicate the active development of the botnet by its organizers," said Dmitry Tkachev, CEO of Curator.
He explained that when attacking unsecured or poorly protected resources, a DDoS botnet of this size can generate tens of millions of requests per second and disable servers. Not every DDoS protection provider can withstand such an attack, which potentially jeopardizes the availability of all clients' resources at the same time.
The company did not disclose who is behind this attack. But an expert from the Garda group of companies, Luka Safonov, said that the so-called IT Army of Ukraine had previously assumed responsibility.
The expert confirmed that a "fairly large botnet" was operating on May 16.
"But analytics usually takes into account not the number of attacking devices, but the attack power in terms of the number of requests to resources or channel utilization," said Luka Safonov.
He explained that with the help of a botnet attack, attackers gain access to legitimate devices and servers and use them to make requests to the attacked sites using the resources of the captured devices.
— Such attacks, as a rule, clog the channel and bring down resources with a large number of even legitimate requests. It can be difficult to identify among the requests those that relate to real users," he said.
Dmitry Belyanin, head of StormWall's Pre-sale department, confirmed that there were indeed "noticeably more" automated DDoS attacks on Russian organizations on May 15-19.
— If we compare with the same period of the previous year, the increase was 144%, — he said. — However, these days we have recorded a significant increase in the number of attacks not only in the public sector, but also in other industries. In particular, in retail, telecom and financial companies. According to our preliminary estimates, more than half of the attacks on enterprises in these industries were carried out using a botnet that used mainly Russian IP addresses.
He called the figure of 4.6 million IP addresses ambiguous.
— On the one hand, record—breaking scales are appearing in the information field more and more often: botnets are really becoming more powerful, the number of devices used is growing every year, - said the expert. — On the other hand, the figure of 4.6 million blocked IP addresses may not be entirely accurate. It all depends on how exactly the traffic is counted and filtered in a particular system.
When it comes to the power of a botnet and the power of an attack, there is always some kind of PR option, Mikhail Khlebunov, director of products at Servicepipe's computer security service, told Izvestia.
—For example, commercial groups that possess and rent out botnets are often not only willing to talk about their power, but also conduct demonstration attacks to demonstrate it," he said. — At the same time, a powerful attack does not mean the greatest danger to business.
How to repel a bot attack
As Dmitry Belyanin reminded, a botnet is a network of infected devices, the attacker controls them and can use them to generate a huge number of requests to the victim's resources. Such malicious traffic can operate at the application level and disable infrastructure at the network level.
"We are also increasingly noticing that botnets are involved in combined attacks that affect several levels of infrastructure at once," he said.
Usually, the consequences of such attacks include the unavailability of websites and web applications, and problems with their operation. Commercial companies suffer reputational and financial losses. In the case of government and public organizations, botnets are often used as a weapon in the context of information warfare.
"But there are also cases when groups launch attacks in order to demonstrate their strength and self—promotion," Dmitry Belyanin said.
In a "classic" DDoS attack, when all malicious traffic is routed to multiple IP addresses, the attack is easy to detect and the traffic is filtered out, Mikhail Khlebunov said.
"Intelligent attacks are more dangerous, even if not of the highest power, when AI tools allow attackers to quickly change the attack vector, thus overcoming protection based on template solutions," the expert said. — The multi-vector carpet attacks that led to the unavailability of services in 2024, as well as many government resources and the largest telecom players, did not have record speeds or botnet capacities in 2025.
The main difficulty in repelling mass attacks is that traffic sources are spread all over the world and their number can reach several million, Dmitry Belyanin added.
"At the same time, bots are increasingly behaving like legitimate users, so filtering out malicious traffic without false positives is not an easy task," he said. — Professional AntiDDoS solutions are required to repel botnet attacks. They repel such attacks thanks to multi-level protection combining automatic traffic filtering, behavioral pattern analysis and a globally distributed network of cleaning centers.
Machine learning is often used in the development of specialized security tools, which helps to quickly recognize anomalies, even when an attack is disguised as legitimate traffic.
Continued attacks
However, May 20 was marked by attacks on government and commercial structures — not so widespread, but with more serious consequences. So, the Federal Tax Service officially announced that it records high-level DDoS attacks from abroad. They started on the morning of May 19th.
"Security and infrastructure management systems are operating normally, user data is securely protected, and there is no intrusion into the infrastructure of the Federal Tax Service of Russia. The Information Security Service of the Federal Tax Service of Russia is working in an enhanced mode, together with the relevant departments of the telecom operator," the agency said, warning that periodically the electronic services of the federal service may be unavailable for a short time.
Izvestia's sources at a cybersecurity company reported that Ukrainian hackers have been attacking the federal service for the second day.
Users of the National Digital Marking System "Honest Sign" also reported the failure. So, during the day, the Downdetector service received about 1.2 thousand messages from them, which is considered a "moderate" amount. The Honest Sign company stated that the labeling system is working stably, no failures have been recorded.
The Downdetector service also recorded failures in the Saby personnel management service (almost 9.4 thousand complaints) and the Gosklyuch system (9.8 thousand requests). About 5.4 thousand complaints were received about the work of the FTS services.
Recently, hacktivists have repeatedly attacked state and near-state resources, Mikhail Khlebunov confirmed.
"At the same time, the attackers used AI tools that allow attackers to quickly adjust the attack vector in such a way as to overcome protection based on template solutions," he explained. — To counter such attacks, it is necessary to have solutions with the ability to quickly and flexibly adapt to new vectors.
Among the difficulties of protecting against such intellectual attacks for government resources, he called the fact that they cannot give their traffic to service providers for cleaning. They need on-premise solutions, that is, located inside the infrastructure of a state-owned company.
Переведено сервисом «Яндекс Переводчик»
