Cyber Incident Victim: Stripe

On or around June 30, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a public warning regarding ongoing distributed denial-of-service (DDoS) attacks that had impacted multiple U.S. organizations across various industry sectors. The agency advised all U.S. organizations to take proactive measures to prepare their security teams to thwart or mitigate the effects of such attacks. CISA recommended that network administrators be prepared to quickly apply firewall rules or redirect incoming malicious traffic through denial-of-service protection services to prevent the takedown of targeted online portals or services. The agency also noted that internet service providers could offer guidance on appropriate steps to take during these incidents. CISA stated it was aware of open-source reports of targeted denial-of-service and distributed denial-of-service attacks against multiple organizations in multiple sectors, highlighting that these attacks could cost an organization time and money and impose reputational costs while their resources and services remained inaccessible.

This warning was issued in the context of a wave of DDoS attacks publicly claimed by a threat actor known as Anonymous Sudan. Microsoft tracks this group as Storm-1359. The attacks preceding the CISA warning targeted both private and government organizations, taking their online portals offline. Since the start of that week, Anonymous Sudan had claimed responsibility for taking down the website of EFTPS.gov, which is the U.S. Treasury Department's Electronic Federal Tax Payment System, and the website of the U.S. Commerce Department. BleepingComputer confirmed that the eftps.gov website was inaccessible at the time the threat group claimed the attack on their Telegram channel. The group's activities were not isolated to government targets; they also claimed a DDoS attack on the same day as the CISA warning that targeted the dashboard of the financial services company Stripe. This Stripe dashboard is used for managing business payments, processing refunds, and handling general operations.

The incident involving Stripe was part of a broader campaign by Anonymous Sudan that had been ongoing for several weeks. Earlier in the same month of June, Microsoft confirmed that multiple outages affecting its Outlook, OneDrive, and Azure web portals were the result of DDoS attacks that had been claimed by this same group. The group's campaign began even earlier, starting in May, during which they targeted numerous other large organizations on a global scale. Their previous targets included Scandinavian Airlines (SAS), the dating application Tinder, the ride-sharing service Lyft, and various hospitals across the United States. The consistent modus operandi was the use of DDoS attacks to render critical online services unavailable to users.

In response to the broader threat, CISA, in collaboration with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), provided guidance to organizations on steps to take both before and after a DDoS attack. A key recommendation was for organizations to enroll in dedicated DDoS protection services, which are designed to reroute malicious traffic away from targeted assets, thereby mitigating the attack's impact. For federal civilian executive branch (FCEB) agencies, CISA provided additional specific recommendations, advising them to utilize tools available through the General Services Administration (GSA). These tools included the Managed Security Service (MSS) and the Managed Trusted Internet Protocol Service (MTIPS), which can be employed to counter the effects of DDoS attacks and assist in restoring the operation of impacted systems.

The primary impact of these attacks, including the one on Stripe, was service disruption. For Stripe, the attack targeted its operational dashboard, a critical interface for businesses to manage their financial transactions. This would have impeded the ability of Stripe's customers to process payments, issue refunds, and manage their accounts, leading to direct operational and financial consequences for those businesses relying on the platform. The broader consequence for all targeted organizations, as outlined by CISA, was the dual financial and reputational damage incurred when essential resources and services become inaccessible to customers and users. The attacks demonstrated a continued focus on high-profile targets whose disruption would cause significant inconvenience and attract media attention, thereby amplifying the perceived impact of the threat actor's capabilities. The timing of the attacks throughout the week, culminating in the CISA warning on June 30, indicated a sustained and coordinated effort against U.S. infrastructure and commercial entities.