Cyber Incident Victim: Doctor Web
Date:
Jan 2017
Location:
Russia
Summary
A cybersecurity firm specializing in antivirus solutions faced a distributed denial-of-service (DDoS) attack targeting its Russian and Ukrainian web domains, causing service disruptions. The attack, characterized by an intense flood of 200,000 to 500,000 packets per second, persisted for over two days before mitigation efforts restored normal operations. This incident occurred shortly after the company published research exposing a large-scale Linux botnet, with evidence suggesting retaliatory action by cybercriminals affected by the disclosure. The event mirrored similar attacks against other security firms historically targeted for disrupting malicious operations, highlighting a pattern of retaliatory disruptions against entities combating cyber threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The DDoS attack targeting Doctor Web commenced on January 25, 2017, directly impacting the company's Russian (drweb.ru) and Ukrainian (drweb.ua) domain infrastructure. Attack volumes fluctuated between 200,000 and 500,000 packets per second, sustaining continuous bombardment for over 48 hours before mitigation efforts succeeded. This assault followed within 24 hours of Doctor Web's publication of research detailing a large-scale Linux device botnet, establishing temporal proximity to their threat exposure activities. Company engineers engaged in sustained countermeasures throughout the two-day incident, eventually restoring full server functionality after containing the attack's impact on their web presence. No data breaches or secondary compromises were reported in connection with the availability disruption.
The incident represented retaliatory action by threat actors whose operations were disrupted by Doctor Web's security research, consistent with historical patterns of criminal retaliation against cybersecurity entities. While service restoration marked the operational resolution, the attack highlighted persistent risks facing firms investigating botnet infrastructures. The company's public disclosure emphasized the attack's technical parameters and duration rather than financial or customer impact specifics. This event occurred within a broader pattern of anti-security-industry DDoS campaigns during the period, as evidenced by subsequent attacks against Emsisoft three days later and historical incidents involving Kaspersky Lab. Doctor Web's restoration of domain services concluded the immediate incident without further escalation reported in available documentation.