Akamai Diversity

The Akamai Blog

Hackers "Join" World Cup 2014 Matches on the Web

George Orwell once said, "International football is the continuation of war by other means" - as we will demonstrate in this post - Mr. Orwell was spot-on, according to statistics on web application layer attacks collected by Akamai's Cloud Security Intelligence platform, the 2014 world cup soccer matches spurred sophisticated cyber attacks between soccer-fan-hackers of competing sides.
In order to monitor and detect attacks correlated to world cup soccer matches, Akamai's threat research team harnessed its unique visibility into Internet-wide traffic (Akamai handles close to 30% of all web traffic!), and ran big data queries looking for attacks originating from source IP addresses related to countries participating in each soccer match, and targeting web sites with a country-code top level domain relevant to the countries playing in that match.

For example, the first match in the world cup was held on Thursday June 12th 2014, and was between Brazil and Croatia - a relevant query would look for web application layer attack events originating from IP addresses coming from Brazil (BR) or Croatia (HR), and targeting web sites ending with either ".br" (Brazil's country-code top level domain), or ".hr" (Croatia's country-code top level domain).

OrySegalBlog1.png In order to make sure that spikes in malicious traffic were not something usual between the two countries, data was extracted for longer periods - for example, 6 days prior to the match, and 6 days after (when applicable).

Findings 
Based on Akamai's data, there were several soccer matches that were accompanied by web application hacking campaigns. Malicious web users used several different attacks vectors with the most prominent vectors being application-layer Denial of Service (DoS) attacks, SQL Injection, PHP code injection and Remote File Inclusion.

An example of 5 such games that spurred online hacking campaigns are:
  • Brazil vs. Croatia (June 12th)
  • Spain vs. Netherland (June 13th)
  • Chile vs. Australia (June 16th)
  • Cote D'ivoire vs. Japan (June 17th)
  • Brazil vs. Chile (June 28th)
OrySegalBlog2.png Lets have a look at a couple of the games and see what happened.

Brazil vs. Croatia

A closer analysis of the Brazil vs. Croatia data, revealed a clear spike in the number of attacks originating from Croatia around the same time as the match took place. The target of attack was a major Brazilian financial institution, and the attack vector was almost entirely made of attempts at exploiting SQL Injection vulnerabilities. Behind this attack were 2 separate Croatian IPs, belonging to different networks, however by analyzing the HTTP traffic and the attack payloads themselves, it was clear that a single entity was behind both attacks. In addition to the attack data mentioned above, we also managed to find one of the offending IP addresses in Akamai's client reputation database, which indicated that the same IP Address has been actively performing SQL Injection attacks on other targets on the Internet.

OrySegalBlog3.png Spain vs. Netherland

The analysis of the Spain vs. Netherland application layer attack events also revealed interesting findings. It seems that one very angry Spanish hacker decided to retaliate the not-so-favorable match results with a very focused application layer denial of service (DoS) attack against a Dutch news web site. Most attack requests came from a single Dutch IP address. The target page was the main sports section of the site, and the "Referer" header (the page from which the current request came from) pointed to a news article describing the glorious day for the Netherlands.

A close inspection of close to 250,000 HTTP requests that were part of the attack revealed that the hacker definitely knew what he/she was doing - they used requests that could easily look like normal browser requests to the untrained eye - they all included a valid "User-Agent" string (a header describing the type of the web client), and mimicked an AJAX request. The only so-to-say flaw of the attack was that all 250,000 requests were identical. They all carried the exact same payload, and used the exact same session tokens, which is highly irregular and may point to the fact that someone was re-playing the same request over and over, until the server will hopefully choke and fail.

Some Hackers Perhaps Held Out Hope for a Comeback Before Launching Attack?

In other matches such as Chile vs. Australia and Cote D'Ivoire vs. Japan, we actually observed an initial downturn in average traffic, followed by a wave of attacks after it became clear that the game was officially over before launching attacks on the winning country.

In what might be considered a similar trend, attackers worldwide seemed to take a break from exploits during the exciting finals match between Germany and Brazil. For those 2.5 hours, the cyber war seemed to take a break while the world tuned in. Argentina seems to have taken the loss in good sport as well, with a notable lack of attacks against Germany originating from Argentina in the days following the attacks.

So to the extent that George Orwell is right, and soccer is continuation of war between countries by other means, for a brief period on Sunday June 13, a victor was declared and it seems that at least a temporary peace has been declared.

Leave a comment