DDoS attacks during the G7 Summit

At the G7 summit held in Puglia, Italy, from June 12 to 15, 2024, Ukrainian President Volodymyr Zelensky was invited as a guest, in addition to representatives of the 11 invited countries. The situation in Ukraine was on the agenda at this summit, along with matters such as climate change and the situation in the Middle East. The leaders' communiqué stated that they would stand “in solidarity to support Ukraine’s fight for freedom and its reconstruction for as long as it takes.” It was decided to leverage immobilized Russian assets to make available approximately USD 50 billion to support Ukraine.[1] Following the G7 summit in Italy, the Summit on Peace in Ukraine was held in Bürgenstock, Switzerland, from June 15-16. The joint communiqué adopted the statement that the “United Nations Charter, including the principles of respect for the territorial integrity and sovereignty of all states, can and will serve as a basis in achieving a comprehensive, just and lasting peace in Ukraine.”[2]

Russian President Vladimir Putin expressed strong opposition at the G7 summit to the use of immobilized Russian assets, saying that it was nothing short of theft and warning of retaliatory measures.[3] Cyberattacks also occurred, apparently initiated by Russian-affiliated actors opposed to these diplomatic moves by Western countries. In Switzerland, where the peace summit was held, the first wave of DDoS attacks [4] was launched against the websites of federal government agencies on June 13. The next day, June 14, NoName057, a Russian-affiliated hacker group, conducted the second wave of DDoS attacks against the websites of Swiss federal government agencies. These first two waves of DDoS attacks were small in scale. However, the DDoS attack that occurred on June 15 disrupted access to the website of a federal government agency related to the Ukraine Peace Conference. The DDoS attacks continued on the 16th and continued to disrupt access to the websites of federal government agencies and organizations associated with the peace summit.

Japan is also targeted in attacks during the summit

DDoS attacks also occurred against Japan, which expressed support for the use of immobilized Russian assets at the G7. On June 14, experts noted [5] that random subdomain DDoS attacks had been observed against Japanese government websites such as those of the Ministry of Internal Affairs and Communications, the Ministry of Land, Infrastructure, Transport and Tourism, and the Japan Housing Finance Agency. More seriously, the Government Public Key Infrastructure (GPKI) experienced access failures for more than 12 hours from 16:17 on June 14 to 05:08 on June 15.[6] In this access failure, the integrated repository, certificate verification server, digital signature granting and verification service, and home page became inaccessible. Outages of the GPKI are extremely rare, other than for maintenance purposes, and such a failure represents a serious situation with significant consequences because it halts procedures requiring digital authentication by the government.

Although the Digital Agency has not made any public announcement regarding the cause of this system failure, the author believes that it was caused by a DDoS attack. An expert observing a random subdomain DDoS attack stated that the DDoS attack against the GPKI (gpki.go.jp) started at 16:17 on June 14 and was observed intermittently until 05:10 on June 15.[7] Since this timeline coincides with the announced timeline of the access failure, it is possible to conclude that the failure was caused by a random subdomain DDoS attack.

A random subdomain DDoS attack does not attack the web server itself, but rather the DNS server, paralyzing communication. It randomly generates nonexistent subdomains (for example, subxx.xx.co.jp) and initiates a massive number of queries to the DNS server of the target organization’s actual site (e.g., xx.co.jp), overloading the Authoritative DNS server and causing an outage. DNS servers convert IP addresses and host names (gpki.go.jp in the GPKI example). When these DNS servers stop functioning, servers under the hostname umbrella become unreachable, resulting in an access failure. Random subdomain DDoS attacks are very troublesome because they are technically difficult to detect before an access failure occurs. Once an attack occurs, it results in a service outage.

Random subdomain DDoS attacks were also observed in Japan before the G7 summit held in Hiroshima in May 2023. Attacks against local governments and critical infrastructure companies such as railroads and electric power companies occurred from mid-March 2023 until just before the summit. Based on their timeline, the author infers that these attacks were carried out by a Russian-affiliated hacker group with close ties to the Kremlin. The DDoS attacks on the GPKI from June 14 to 15 are also thought to be a retaliation against Japan for its decision to support Ukraine using immobilized Russian assets, given their timing during the summit.

Vigilance against cyberattacks and the dissemination of disinformation linked to diplomatic events

In addition to the DDoS attacks that occurred during the G7 summit in Italy, there has been an increase in cyberattacks and the dissemination of disinformation against Japan related to the conflict in Ukraine. DDoS attacks against Japan also occurred during the Japan-Ukraine Conference for Promotion of Economic Growth and Reconstruction held in Tokyo on February 19 this year. On the same day that the conference was held, the websites of the House of Representatives, the Japan Securities Dealers Association, the Japan Automobile Manufacturers Association, and several leading Japanese companies were hit by DDoS attacks. On February 13, NoName057, the Russian-affiliated group responsible for the aforementioned attacks on Swiss federal agencies, issued a statement claiming responsibility for this series of attacks.

Furthermore, two items of disinformation were spread intensively on X (formerly Twitter) regarding the Japan-Ukraine Conference for Promotion of Economic Growth and Reconstruction, beginning a week before the conference. One of these is a fake photo (see below), used to claim that the U.S. Under Secretary of State for Political Affairs Victoria Nuland pressured Prime Minister Kishida to provide more funds for Ukraine’s reconstruction. This composite fake photo spread rapidly on X from February 13 to 14.[8] It was viewed a total of 700,000 times. Another item of disinformation was that Prime Minister Kishida was ordered by President Biden to spend 50 trillion yen to support Ukraine, resulting in higher taxes for Japanese citizens. This disinformation appeared on X around the end of January, but spread rapidly between February 11 and 12, one week before this Japan-Ukraine conference.[9] Although it has not yet been determined whether or not Russia or pro-Russian groups were behind the spread of these two items of disinformation, the timeline strongly suggests that they were targeted at the conference.

Figure: Fake composite image of Prime Minister Kishida

In this way, cyberattacks and the dissemination of disinformation linked to diplomatic events have been on the rise since the start of the war in Ukraine in 2022. Although this war is geographically remote from Japan, Japan is not unaffected by it. Cyberspace has no geographical distance or borders. Cyberattacks and disinformation linked to diplomacy and security are occurring in other areas of Japan’s digital space unrelated to the war in Ukraine, too, and it is vital to remain vigilant.

(2024/10/17)