{ "id": "7b85478e-759c-4a98-b62c-9c6035e435ee", "created_at": "2026-04-06T00:11:06.327353Z", "updated_at": "2026-04-10T03:34:45.481741Z", "deleted_at": null, "sha1_hash": "09024b912e7dee8d229e0ea31a6d95d058cc26f5", "title": "DDoS attacks in Q2 2022", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1408552, "plain_text": "DDoS attacks in Q2 2022\r\nBy Alexander Gutnikov\r\nPublished: 2022-08-03 · Archived: 2026-04-02 11:28:54 UTC\r\nNews overview\r\nPolitically-motivated cyberattacks dominated the DDoS landscape in the second quarter of 2022 just as they did in\r\nthe previous reporting period. ALtahrea Team, a group targeting NATO and its partners, attacked public\r\ntransportation websites in Israel and the United Kingdom. Israel saw a cyberattack on the Airports Authority, and\r\nUK, an attack on the Port of London Authority. Also attributed to the group are cyberattacks on websites affiliated\r\nwith the Turkish ministry of defense.\r\nAttacks linked in some way or another to the Russia-Ukraine conflict continued too. The pro-Russian hacktivists\r\nKillnet, which first surfaced in January 2022, claimed responsibility for DDoS attacks on the websites of various\r\nEuropean organizations from April through June. Starting on April 18, Czech government and public\r\ntransportation websites, including those of the rail authority and airports, came under attack. Then on April 29, the\r\nhackers targeted Romanian government websites including those of the Border Police, the National Railway\r\nTransport Company and Optbank, and on May 8, German websites, including the Bundestag and the Federal\r\nPolice. Italy was another DDoS target: the websites of the senate, the National Health Institute and the Automobile\r\nClub d’Italia took a hit on May 11. The attackers used the slow HTTP technique, transmitting the HTTP request\r\nbody at a very low rate and sending incomplete requests to make the target servers allocate resources for listening.\r\nLater cyberattacks attributed to Killnet affected the Italian foreign ministry and national magistrate association\r\nwebsites. In late June, the hacktivists attacked Lithuania’s Secure National Data Transfer Network as well as other\r\ngovernment agencies in that country. At various points throughout the quarter, the group took responsibility for\r\nDDoS attacks on various European organizations, which did not publicly confirm the incidents.\r\nIn several cases, no entity claimed responsibility for what was presumed to be politically-motivated attacks. For\r\nexample, websites belonging to the Vltava Labe Média publishing house were down on April 6–7. The publisher\r\nsaid it had been subjected to DDoS attacks multiple times since the start of the Ukraine conflict. The websites of\r\nFinland’s defense and foreign affairs ministries were unaccessible on April 8, the day when Volodymyr Zelenskyy\r\nwas addressing the country’s parliament. Iceland was the target of several cyberattacks in mid-April, with the\r\nwebsites of various organizations affected, including media outlets. The police suspect political motivation as the\r\ncountry announced the intention in March to boost its defense budget. Some of the targeted resources resorted to\r\ngeoblocking to stay online.\r\nAnother anonymous attack that could be categorized as driven by political motives is the April 22 DDoS attack on\r\nUkraine’s postal service, which followed the release of postage stamps featuring the image of the Russian cruiser\r\nMoskva. Estonian government websites, including the Information System Authority (RIA), remained under\r\nattack from April 21 through at least April 25. The Estonian government came under attack again on May 9 as the\r\nwebsite of the country’s foreign ministry was brought down.\r\nhttps://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nPage 1 of 18\n\nSome of Ukrainian and pro-Ukrainian websites were attacked from compromised WordPress sites. Hackers were\r\nembedding a script within the main files of the websites, which sent requests to various targets on behalf of\r\nvisitors. In technical terms, this bore a similarity to the hacktivist attacks on Russian websites that we covered in\r\nthe first quarter, the difference being that in the earlier case, the hacktivists were making DIY stresser sites,\r\nallowing sympathetic visitors to aid in their DDoS efforts. Interestingly enough, one of the hacked WordPress sites\r\nwas a hacktivist website used to attack Russian media outlets in the previous quarter.\r\nRussian websites remained a target for DDoS attacks in Q2. The attacks were coordinated via pro-Ukrainian\r\nTelegram channels as before. A hacktivist attack on the information systems that supported the St. Petersburg\r\nInternational Economic Forum (SPIEF) resulted, among other things, in the Russian president’s speech at the\r\nevent being delayed by an hour. The SPIEF press pass issuance system and press room experienced issues too.\r\nA further DDoS target was the Gosuslugi e-government website and mobile application. Russia’s ministry of\r\ndigital development reported a tenfold load increase on these resources. Other federal agencies subjected to\r\ncyberattacks were the consumer health watchdog Rospotrebnadzor and the agricultural safety watchdog\r\nRosselkhoznadzor. The latter’s website said the cybercriminals were primarily targeting Mercury, an electronic\r\nveterinary certification system.\r\nOther electronic document management systems were targeted too. Alcohol producers and distributors faced\r\ndifficulties delivering their goods to stores due to a cyberattack on the Unified State Automated Information\r\nSystem (EGAIS). Due to outages that affected the fiscal data operator’s website, OFD.ru, receipt delivery to\r\ninternal revenue offices was greatly delayed. The Chestny ZNAK national track \u0026 trace digital system was also\r\ninundated with junk traffic.\r\nWebsites of the Perm Krai provincial administration and legislature were among the government resources that\r\nsuffered from cyberattacks. The hacktivists haven’t spared the media either: novgorod.ru, Zebra TV, Amurskaya\r\nPravda, sibkray.ru, the Lotos state broadcaster and other provincial news outlets reported service disruptions.\r\nPrivate service providers were also caught in a surge of cyberattacks. According to CNews, 1C-EDO, 1C-OFD,\r\n1C:Reporting and other services of Russian enterprise software developer 1C were unavailable for several days.\r\nThe privately-owned RosDorBank recorded an impressive volume of malicious traffic: up to three million\r\nrequests per second. A number of Russian airlines — Rossiya, Aurora, ALROSA, and others — said around the\r\nsame time that their websites had been targeted by DDoS attacks. “Moskovskiye apteki”, a pharmaceutical\r\njournal, reported that aptekamos.ru and other websites of well-known pharmaceutical publications and pharmacy\r\naggregators and chains had been attacked daily from March through June.\r\nNashStore, Russia’s mobile app marketplace modeled after App Store and Google Play, experienced outages on its\r\nofficial launch day. Widespread DDoS attacks targeted Russian colleges as enrollment boards began to examine\r\napplicants. Outages affected visitors to some websites of RUDN University and Moscow Polytechnical\r\nUniversity, Astrakhan State University, Siberian Federal University, colleges in Yaroslavl, Perm and Irkutsk, and\r\nschools in Tatarstan, the Komi Republic, Altai Krai, Amur Oblast and other provinces. Students are often known\r\nto be behind DDoS attacks on schools, especially on key academic dates, but in this case, the cyberattacks were\r\norchestrated via pro-Ukrainian Telegram channels too.\r\nhttps://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nPage 2 of 18\n\nEducational establishments in the United States suffered from DDoS attacks as well: schools of Topeka USD 501,\r\nKansas, were disconnected from the internet for five minutes as a result of a cyberattack. The incident prompted\r\nthe school district administration to contract a specialized infosec provider for DDoS protection.\r\nAs usual, the gaming industry was targeted too. Fans of World of Warcraft, Overwatch, Call of Duty and Diablo\r\nIII had issues accessing the games for slightly more than an hour on May 11 as Battle.net experienced a DDoS\r\nattack on its servers. STEPN, a game in which players can earn crypto tokens for real-life running and trade in\r\nvirtual sports shoes, reported a series of incidents in June. The attacks followed an update that targeted cheaters.\r\nThe admins asked the users to take a break from the game to avoid errors in recording their workouts.\r\nDDoS attacks on websites associated with cryptocurrency are anything but rare. They are often timed to coincide\r\nwith landmark events, such as new cryptocurrency launches and rate fluctuations. In Q2 2022, the website of the\r\nTether stablecoin was targeted by a DDoS attack after the rate dropped despite USD pegging.\r\nRansom DDoS attacks, which often made the news in 2020 and 2021, had all but died down: the only one that\r\nreceived broad coverage was an attack by a group that claimed to be the operator behind the infamous REvil\r\nransomware. Our fellows at Cloudflare acknowledged the trend in their Q1 2022 report.\r\nCloudflare also reported two unprecedentedly powerful HTTPS DDoS attacks. These are more costly both to the\r\nattacker and the victim compared to DDoS attacks that use the unsecured HTTP protocol. In the first case, the\r\nattack rate reached 15 million requests per second, with the target bombarded with junk traffic for less than 15\r\nseconds. The victim was a company operating a crypto launchpad. The record was beaten two weeks later by an\r\nattack with the magnitude of 26 million requests per second.\r\nBoth attacks were launched by relatively small botnets consisting of five to six thousand devices each. Unlike\r\nlarger, but less powerful zombie networks composed of IoT devices, these utilized web servers and virtual\r\nmachines. The operator behind the second HTTPS attack, the most powerful one to date, has been nicknamed\r\nMantis after the tiny yet mighty predatory insect.\r\nBotnets built from routers, cameras, and other consumer devices did not go away, either. The 360 Netlab company\r\npublished a report on a new zombie net named Fodcha, which expanded through brute-force attacks and by\r\nexploiting known vulnerabilities in IoT devices. As of April 10, 2022, the number of Fodcha bots in China alone\r\nexceeded 60 000, with more than 10 000 active daily. Fodcha C2 servers were originally hosted on a single cloud\r\nprovider’s network, but after those were blocked, the operators had to rebuild their infrastructure. At the time the\r\nstudy was published, command and control functions were spread across several providers’ clouds, with\r\ncommands reaching bots from a dozen IP addresses in different countries.\r\nEnemybot is another new DDoS botnet, which belongs to the Keksec extortion group, borrows code from the\r\nMirai and Gafgyt bots, and drops a file with the cybercriminals’ signature on devices it infects. The bot specializes\r\nin attacking routers and web servers that contain known vulnerabilities, including those discovered in 2022.\r\nAs for previously-known botnets, Q2 2022 saw a series of publications on their recent activity. Fortinet reported in\r\nearly April on two vulnerabilities, which were weaponized by the Mirai variant known as Beastmode. A\r\nsignificant portion of these were vulnerabilities found in TOTOLINK routers in 2022. In May, Microsoft\r\npublished a report on a surge in activity associated with the XorDdos bot that targets Linux devices.\r\nhttps://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nPage 3 of 18\n\nAnother noteworthy publication appeared on Stackoverflow: On May 16, the website posted a breakdown of\r\ncyberattacks it suffered, describing some interesting techniques and explaining how Stackoverflow had defended\r\nitself. For example, in one of the cases, the attackers used highly expensive SQL queries triggered from a large\r\nnumber of IP addresses. This meant that IP blocking was not an effective protection method, and the criminals\r\nmanaged to load some of the backend servers to full capacity.\r\nPositive Technologies and Qrator Labs experts said the second quarter saw a new trend among DDoS attackers:\r\nthey began looking for ways to bypass geoblocking after companies started to rely heavily on the technique. In\r\nparticular, they use VPN, proxy servers, and infected devices located in the same region as the target to render\r\nblocking pointless.\r\nAmid the battle between the attackers and their targets, Roskomnadzor, Russia’s communications watchdog, said\r\nit would adopt the Deep Packet Inspection (DPI) technique to fight DDoS. Critics say that although technically\r\nfeasible, DPI is limited in what it can do and is no cure-all. Besides, the system would need to be updated and\r\ntrained to make it fit the purpose.\r\nMeanwhile, other countries keep on combating operators renting out DDoS capacities: the FBI, supported by\r\nDutch and Belgian authorities, seized two domains used for selling the services.\r\nQuarter trends\r\nThe second quarter of 2022 saw the continuation of a trend that began in spring: an increase in superlong attacks.\r\nThese last so long that websites remain under stress continuously. Compared with the previous quarter, DDoS\r\nattacks faded from public view and amateur hacktivist attacks all but ceased. That said, they had done no major\r\ndamage before, so the cessation had little effect from a DDoS defense perspective. But let us look at the figures.\r\nhttps://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nPage 4 of 18\n\nComparative number of DDoS attacks, Q2 2021, Q1 and Q2 2022. Q2 2021 data is taken as 100% (download)\r\nIn this quarter, the Kaspersky DDoS Protection group repelled about 2.5 times more attacks year-on-year. The\r\nnumber is huge, but it pales in comparison with Q1 2022 when we detected almost twice as many. It would seem\r\nthat we are seeing a drop in attacker activity, but things are, in fact, much more interesting. Though there were\r\nfewer attacks in absolute terms, the overall DDoS situation might have deteriorated.\r\nAs mentioned above, hacktivist activity, which was responsible for the previous quarter’s surge, tapered off. An\r\noverwhelming majority of those attacks were neither professionally managed nor very long, so they failed to\r\nproduce any particular effect on anything but pure statistics. The attacks we observed in Q2 and are still observing\r\nare of a somewhat different nature. They last for days, even weeks, with this quarter’s record being 41 441\r\nminutes or about 29 days. The most attacked resources remain stressed almost continuously.\r\nhttps://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nPage 5 of 18\n\nDDoS attack duration, Q2 2021, Q1 and Q2 2022. Q2 2021 data is taken as 100% (download)\r\nThe average duration of a DDoS attack in Q2 was about 3000 minutes (roughly 50 hours or about 2 days).\r\nCompare this with the average of 30 minutes for Q2 2021: the figure has grown hundredfold. It is extremely\r\nexpensive to sustain an attack for such a long time, especially an ineffectual attack that gets blocked by\r\ncybersecurity systems. Continuous bot activity increases the risk of botnet hosts wearing out or being detected, or\r\neven the C2 center itself getting traced. The fact that these attacks do happen makes one wonder what the\r\noperators’ true capabilities and affiliations are.\r\nIn terms of DDoS attack quality, we are seeing a trend for greater complexity. The share of smart attacks in Q2\r\n2022 almost reached 50%, which is close to a record. The figure was last that high when the DDoS market was at\r\nrock bottom about four years ago. The rise began with expensive, well-staged attacks. It is fairly unusual to see a\r\nfigure like that in a DDoS-rich year.\r\nhttps://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nPage 6 of 18\n\nShare of smart attacks, Q2 2021, Q1 and Q2 2022 (download)\r\nMore interestingly, Q2 2022 saw a large number of high-class targeted attacks, which are designed for a specific\r\nwebsite, with its features and vulnerabilities in mind. These are very expensive, very complex attacks that require\r\na high standard of competence and extensive knowledge from both the attackers and the defending party.\r\nNormally, these occur in single-digit numbers, so even one attack in a year is a remarkable occurrence. In the\r\nsecond quarter, we saw two. This is quite an alarming trend, which makes one wonder what size of resources these\r\ncybercriminals command.\r\nAnother, extremely important, trend of the second quarter is the crypto crash, which began with an instant Terra\r\n(Luna) collapse and has only intensified ever since. As we and our peers have noted in multiple posts, the DDoS\r\nmarket is highly sensitive to crypto market fluctuations and inevitably grows when crypto declines. We have not\r\nseen crypto collapse this rapidly for a long time, and by all indications, this will last: for example, miners have\r\nstarted selling off their farms to gamers. It is not unreasonable to expect the DDoS market to start growing soon.\r\nThe DDoS situation in Russia is already about as tense as it gets, so we are unlikely to notice any changes in that\r\nregion. On a global scale, there is a high probability that DDoS activity will intensify.\r\nDDoS attack statistics\r\nMethodology\r\nKaspersky has a long history of combating cyberthreats, including DDoS attacks of varying type and complexity.\r\nCompany experts monitor botnets using the Kaspersky DDoS Intelligence system.\r\nhttps://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nPage 7 of 18\n\nA part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received\r\nby bots from C2 servers. The system is proactive, not reactive, meaning that it does not wait for a user device to\r\nget infected or a command to be executed.\r\nThis report contains DDoS Intelligence statistics for Q2 2022.\r\nIn the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet\r\nactivity periods does not exceed 24 hours. For example, if the same resource is attacked by the same botnet after\r\nan interval of 24 hours or more, two attacks will be counted. Bot requests originating from different botnets but\r\ndirected at one resource also count as separate attacks.\r\nThe geographic locations of DDoS-attack victims and C2 servers used to send commands are determined by their\r\nrespective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of\r\nunique IP addresses in the quarterly statistics.\r\nDDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just\r\none of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that\r\noccurred during the review period.\r\nQuarter summary\r\nIn Q2 2022:\r\nOur DDoS Intelligence system recorded 78,558 DDoS attacks.\r\n25% of the targets were located in the US, accounting for 45.95% of all attacks.\r\nJune 20 and 21 were the wildest days, with 1815 and 1735 attacks, respectively, while April 10 and 11, and\r\nMay 17 were the least turbulent ones, with 335, 294 and 267 attacks, respectively.\r\nVery short attacks made up 95.42% of the total number.\r\n17% of the botnet C2 servers were located in the US.\r\nUDP flood accounted for 62.53% of attacks.\r\n41% of the devices that attacked Kaspersky Telnet honeypots were located in China.\r\nDDoS attack geography\r\nThe US remained the leader in the number of DDoS attacks on the country’s resources, with their share of the total\r\nrising slightly to 45.95% from the first quarter’s 44.34%. China was still the runner-up with 7.67%, but the\r\ncountry’s share dropped by 3.93 p.p. Germany came up close with 6.47%, gaining 1.41 p.p.\r\nhttps://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nPage 8 of 18\n\nDistribution of DDoS attacks by country and territory, Q1 and Q2 2022 (download)\r\nA sharp drop in attacks on the Hong Kong special administrative region (to 1.75%) continued for a third\r\nconsecutive quarter. After its share more than halved yet again, the territory found itself in tenth place, virtually\r\nmatching its position in Q2 2021. France and Canada displayed minimal gains, with 4.60% and 3.57%,\r\nrespectively, inheriting the UK’s and Hong Kong’s fourth and fifth places. Great Britain sunk to sixth place with\r\n3.51%, followed by Brazil with 3.2% and the Netherlands with 2.91%. Coming up close in ninth place was\r\nhttps://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nPage 9 of 18\n\nSingapore, the only country of the TOP 10 besides the US and Germany to see attacks grow by more than one\r\npercentage point, to 2.9% from 1.86%.\r\nSingapore’s share of unique targets (3.22%) grew even more noticeably, more than doubling from Q1 2022. As a\r\nresult, the country, which was not even among the ten leaders at the beginning of the year, found itself in sixth\r\nplace. Overall, the composition of the TOP 10 is traditionally similar to the rankings by the number of attacks. The\r\nthree leaders remained unchanged: the US (43.25%), China (7.91%) and Germany (6.64%). France rose to fourth\r\nplace with 4.42%.\r\nhttps://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nPage 10 of 18\n\nDistribution of unique targets by country and territory, Q1 and Q2 2022 (download)\r\nHong Kong (2.01%) dropped from fifth place to tenth as the UK (3.77%) slid by one position to take its place.\r\nOther members of the TOP 10 included Brazil (3.18%) in seventh place, Canada (2.97%) and the Netherlands\r\n(2.73%).\r\nDynamics of the number of DDoS attacks\r\nIn Q2 2022, DDoS attacks dropped by 13.72% (to 78 558) as compared to the previous reporting period. Activity\r\nincreased steadily throughout the quarter: from 731 attacks per day on the average in April to 845 in May, to 1195\r\nin June. June 20 and 21 proved to be the busiest, with 1815 and 1735 attacks, respectively, whereas April 10 and\r\n11 were the calmest, with the Kaspersky DDoS Intelligence system recording 335 and 294 attacks, respectively,\r\nand May 17, when we saw just 267 attacks.\r\nDynamics of the number of DDoS attacks, Q2 2022 (download)\r\nThe distribution of DDoS attacks by day of the week was slightly more even than in Q1 2022. Friday (13.33%)\r\ngrew by 0.56 p.p., passing its title of the calmest day to Wednesday (13.02%), while Sunday’s share dropped to\r\n15.81% from 16.35%, although it still remained the busiest day.\r\nhttps://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nPage 11 of 18\n\nDistribution of DDoS attacks by day of the week, Q2 2022 (download)\r\nTuesday (14.06%) and Saturday (15.59%) both grew, and Monday (14.22%) dropped. As a result, Saturday and\r\nSunday saw the highest level of DDoS activity.\r\nDuration and types of DDoS attacks\r\nQ2 2022 saw a marked reduction in the share of long (20 hours and longer) attacks in the total DDoS duration, to\r\nslightly more than 7% from almost 20% in the first quarter. In quantitative terms, these attacks accounted for just\r\n0.3% of the total, with 0.24% being attacks that lasted 20–49 hours.\r\nShorter DDoS attacks of up to 4 hours accounted for 74.12% of the total duration and 95.24% of the total number.\r\nThe share of attacks lasting 5–19 hours remained virtually unchanged (4.28% of the total against 4.32% in Q1\r\n2022), but the proportion shifted slightly toward attacks 5 to 9 hours long.\r\nThe quarter’s longest attacks continued for 423 and 403 hours (approximately 17.5 and 17 days), which was 126\r\nhours shorter than the first quarter’s record attack of 549 hours (nearly 23 days). The average attack duration\r\ndropped from nearly two hours to around 1 hour 45 minutes.\r\nhttps://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nPage 12 of 18\n\nDistribution of DDoS attacks by duration, Q1 and Q2 2022 (download)\r\nThe share of UDP flood, the main DDoS technique employed by the botnets that we have observed, rose again in\r\nQ2 2022 to 62.53%. SYN flood remained in second place with a 20.25% share. The share of TCP flood shrank to\r\nalmost half its former size at 11.40%, but this type of flood still kept third place. The share of HTTP flood (2.43%)\r\nremained unchanged, whereas GRE flood rose to 3.39%, rising to fourth place.\r\nhttps://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nPage 13 of 18\n\nDistribution of DDoS attacks by type, Q2 2022 (download)\r\nGeographic distribution of botnets\r\nThe share of botnet control servers located in the US (46.17%) dropped by 9.3% from Q1 2022, but the country\r\nremained the leader. Second came the Netherlands (14.49%), followed by Germany (9.11%), the two countries\r\nswapping rankings. The Czech Republic, previously fourth, all but dropped out of the TOP 10, sharing ninth, tenth\r\nand eleventh places with Canada and Croatia (1.24%). Russia (4.76%) and France (3.52%) climbed one position\r\neach as a result.\r\nhttps://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nPage 14 of 18\n\nDistribution of botnet C2 servers by country, Q2 2022 (download)\r\nSingapore (2.69%) and Vietnam (2.48%) were sixth and seventh, respectively, their shares quadrupling compared\r\nto the previous reporting period. The UK (2.07%) dropped to eighth position.\r\nAttacks on IoT honeypots\r\nChina (14,22%) remained the leader by number of attacks on Kaspersky SSH honeypots in Q2, although the gap\r\nwith the US (13.52%) narrowed significantly. Germany (5.64%) and Brazil (5.43%) also kept third and fourth\r\nplace, respectively, whereas Singapore (4.71%) pushed Hong Kong (4.35%) from fifth place and was closely\r\nfollowed by India (4.70%). South Korea (4.21%) was eighth, Russia (3.41%) was ninth, and the UK (3.33%)\r\nrounded out the TOP 10.\r\nBots from Russia were ahead of other countries and regions by number of attacks at 54.93%. The US was second\r\nby number of attacks on SSH honeypots and number of bots associated with these at 7.82%. Vietnam (6.74%) was\r\nthird: bots located in that country launched more than 1.5 million attacks on our honeypots in Q2 2022. China,\r\nwhich was second in the previous quarter, now slid to fourth place with 4.96%.\r\nhttps://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nPage 15 of 18\n\nGeographic distribution of devices from which attempts were made to attack Kaspersky SSH honeypots, Q2 2022\r\n(download)\r\nThe devices that attacked Kaspersky Telnet honeypots in Q2 2022 were mostly located in China, too (39.41% of\r\nthem). These were also responsible for more than half (58.89%) of all attacks. India was second by bot count\r\n(6.90%), but only seventh in terms of bot activity (2.5%). The Netherlands had the second-highest level of bot\r\nactivity (8.11%). Russia was third on both lists, home to 5.83% of all bots which launched 7.48% of all attacks on\r\nthe honeypots.\r\nhttps://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nPage 16 of 18\n\nGeographic distribution of devices from which attempts were made to attack Kaspersky Telnet honeypots, Q2\r\n2022 (download)\r\nConclusion\r\nThe second quarter was calmer than the first in terms of DDoS attacks. This is nothing new: we always observe a\r\ndrop in activity as summer nears. However, the changes in the number of attacks within the quarter did not\r\nconform to that trend: botnet activity grew steadily between April and June, following a slump at the end of the\r\nprevious quarter. This was in line with the crypto collapse, an event that typically gives a boost to DDoS attacks.\r\nThe attack geography did not change significantly as compared to past reporting periods, but it is worth noting\r\nthat attacks linked to concurrent geopolitical events may utilize specially created resources not accounted for in\r\nour botnet statistics.\r\nNow for our forecasts. Russia’s situation is unlikely to change any time soon as long as the political agenda\r\nremains the same. DDoS activity in that country has reached a peak of sorts: anyone who is a desirable target or\r\ncan be attacked is now under attack. We expect similar figures for Russia in Q3 2022 to those in Q2. In view of\r\nthe cryptocurrency situation, we expect the DDoS market to grow globally. This may have an indirect effect on\r\nRussia: the prices of botnet rental will likely drop, making DDoS more affordable as a service, which means the\r\nresources that were previously too expensive to attack will now be accessible targets. In particular, one may\r\nhttps://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nPage 17 of 18\n\npredict a rise in attacks on educational websites which is already taking shape — although it is hard to say if this\r\nis a persistent trend, seasonal variation or an accidental fluctuation. One way or another, the number of DDoS\r\nattacks will not dwindle. There are no prerequisites for a lower threat level anywhere in sight, whereas the growth\r\nfactors are plenty.\r\nSource: https://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nhttps://securelist.com/ddos-attacks-in-q2-2022/107025/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securelist.com/ddos-attacks-in-q2-2022/107025/" ], "report_names": [ "107025" ], "threat_actors": [ { "id": "5a270f6c-2c13-4abf-861e-7d44dcfa5ceb", "created_at": "2023-11-03T02:00:07.794425Z", "updated_at": "2026-04-10T02:00:03.383096Z", "deleted_at": null, "main_name": "Keksec", "aliases": [], "source_name": "MISPGALAXY:Keksec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-10T02:00:03.295317Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "f07ed87c-33ca-44a8-a362-7d5ea193aa7b", "created_at": "2023-11-08T02:00:07.123499Z", "updated_at": "2026-04-10T02:00:03.419917Z", "deleted_at": null, "main_name": "Altahrea Team", "aliases": [], "source_name": "MISPGALAXY:Altahrea Team", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434266, "ts_updated_at": 1775792085, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/09024b912e7dee8d229e0ea31a6d95d058cc26f5.pdf", "text": "https://archive.orkl.eu/09024b912e7dee8d229e0ea31a6d95d058cc26f5.txt", "img": "https://archive.orkl.eu/09024b912e7dee8d229e0ea31a6d95d058cc26f5.jpg" } }