Akamai Diversity

The Akamai Blog

#OpKillingBay Expands Attacks

By Bill Brenner, Akamai SIRT Senior Tech Writer

Operation Killing Bay, better known as #OpKillingBay on social media sites, is expanding. Historically, malicious attackers participating in OpKillingBay have targeted Japanese government websites and sites of companies participating in whale and dolphin hunting. These attackers often see themselves as protesters or activists, in addition to hackers and refer to themselves as "hacktivists."

 Recently however, Akamai SIRT members Larry Cashdollar and Ben Brown have seen a shift in hacktivist tactics in OpKillingBay. While they are still attacking the same types of sites as in the past, they are also attacking sites unrelated to the hunts. In fact, one member of OpKillingBay stated that a company was targeted not because they supported the hunts, but because they did nothing about them.

Akamai has also observed the group threatening to attack whaling groups from other parts of the world, as we have found target lists for sites in Denmark, Iceland and the Faroe Islands. We are also seeing that the attackers involved in OpKillingBay are spreading out and participating in other operations as well.

OpKillingBay is approximately three years old. It has historically focused on anti-whaling activity. From there it has branched out, striking Japanese .gov sites. Attacks on the prime minister's website made news in December 2015.

Since the start of 2016, the target list has further expanded. On Jan. 12, we started to observe attacks against a japanese automotive web site. Another automotive company joined the list of victims on February 4, and attacks continued every few days.

At this point, it's unclear if the person claiming credit is actually the one launching the attacks, but Akamai is capable of viewing the attack traffic against the mentioned organizations and others that have been targeted within our infrastructure.

The most-targeted industries thus far are seafood companies, government agencies and theme parks. The group has declared any government site from Japan or Iceland to be a target, giving those country's whaling activities in the past.

Defensive Measures

Due the probability that groups will be attacking via different vectors and using different techniques, it is necessary to prepare multi-layered defenses for the various attacks.

To ensure optimal protection, Akamai recommends both Kona Site Defender (KSD) and Proxy to be in place. Kona Site Defender's WAF will protect web ports (80 and 443) against all web application layer attack types. These include attacks such as SQL injection, Cross Site Scripting (XSS), Local FIle Includes, Remote File Includes and more. Additionally, KSD should have SiteShield properly configured to better mask the web server's origin IP addresses. When SiteShield is set up, the attacker will only be able to discover the Akamai IP addresses and not the web server's.

To protect against volumetric attacks, a site should have KSD's rate controls properly tuned. KSD can have two types, a burst rate and an average rate. When these properly-tuned thresholds are exceeded, the attacker's requests are blocked. For volumetric attacks at other server ports, Proxy should be configured to allow Akamai's scrubbing centers to allow for a clean pipe back to the site's origin servers.

Lastly we also recommend using DNS locks with a domain's registrar. A common hacktivist attack is to take over a domain, often through phishing the registrar password and then updating DNS records. Contact your registrar about ensuring that the "client" and "server" domain locks are properly set, to avoid site hijacking.

The full advisory can be downloaded here. To access other white papers, threat bulletins and attack reports, please visit our Security Research and Intelligence section on Akamai Community.