New hacker attack on the Subject Bank, today 30 May and everyone is talking about a DDOS attack. But was it DDOS or was it due to inadequate protection and security measures of information systems? The Ministry of Education announced that "we received a megaton attack from hackers", which resulted in the platform being inaccessible for several hours and teachers being unable to take the subjects. Moreover, in a statement today, the Subject Bank informed that it received 165 million hits in an hour from 140 countries.

See Still: Announcement of strategic cooperation between Trust-IT LTD and Cloudflare Inc.

To SecNews has already started investigations to find the real reason behind the Subject Bank fiasco. In tweets, as of last night, SecNews technicians have posted their initial assessments of the cyber attack. You can see here all tweets with relevant information. The technical analysis follows.

See Still: Cloudflare mitigates a DDoS attack with 71 million requests-per-second

So, according to reports, the website trapeza.iep.edu.gr (server που εξυπηρετεί την Τράπεζα Θεμάτων και βρίσκεται στις υποδομές του Ινστιτουτου Εκπαιδευτικής Πολιτικής)  δέχθηκε μια ισχυρή Distributed Denial of Service attack (DDoS), an attack that is known to paralyze and threaten the operation of organizations' computer systems and the security of the information they possess.

What are the attacks DDoS;

DDoS attacks are cyberattacks where multiple computers (usually from countries with high bandwidth such as Russia,Κίνα,Ινδία,ΗΠΑ) κατακλύζουν έναν στόχο με τόσο μεγάλο όγκο δεδομένων/αιτημάτων, ώστε να μην μπορεί να επεξεργαστεί όλες τις αιτήσεις, με αποτέλεσμα να γίνεται ανενεργός κοινώς να “πέφτει”. Αυτό επιτυγχάνεται συνήθως χρησιμοποιώντας την τακτική της επίθεσης από πολλαπλά σημεία, με τον στόχο να κατακλύσουν το σύστημα ή το δίκτυο του θύματος με επιβαρυντικές αιτήσεις.

The server cannot respond to the requests and the service is stopped. The computers used to carry out these attacks are usually unknowingly owned by their owners (botnets/zombies) and are ordered by the operators/hackers to start sending requests to the target server. After a while and depending on the number of requests, the target server is put out of service and cannot respond to new requests. A schematic representation of the attacks is shown below:

DDoS attack theme bank: What happened in the case of the cyber-attack on the Subject Bank;

In the case of the Subject Bank, the DDoS attack "allegedly" according to media reports and the Ministry of Education's post, paralyzed its digital systems for several hours, both on 5/29/2023 and today on 5/30/2023. The announcement even stated that:

"They were massive third-party visits to the platform -The communication refers to up to 280.000 connections per second-, συνδέσεις που έχουν ως σκοπό να την κάνουν μη λειτουργική.  «Αυτές οι κατανεμημένες επιθέσεις DDοS αποσκοπούν κακόβουλα να εμποδίσουν την ομαλή πρόσβαση των χρηστών στο σύστημα. Δεν αποτελούν παραβίαση του συστήματος ούτε είναι σε θέση να αποκτήσουν πρόσβαση στα στοιχεία του και τα δεδομένα του», αναφέρεται στην ανακοίνωση.

As the ministries informed, the attack was isolated at 9:20 in the morning, with joint actions by the IEP and EDYTE and then the accessibility of users was restored. However, the malicious attacks persisted and continued after 9:20 am, but were successfully dealt with.

SecNews conducted a technical journalistic investigation to determine the facts. Information reaching SecNews, through Twitter (thanks to our reader friend) guided our technical team to search for relevant technical data on the website https://mon.grnet.gr and more specifically in

https://mon.grnet.gr/rg/543947/details/#tabs=aggregate

The National Network of Infrastructures for Research and Technology - Hellas and Research (NDYTE) https://www.grnet.gr whose executives are highly skilled, supporting a wide range of infrastructures in our country, they have created Monitoring Tool (using Opensource tools) in order to record in real time and at any time the variations of the web load.

As anyone can read in the relevant graphs, the EDYTE staff is recording at any given moment a volumetric number of operators providing internet services, such as School Network, Wireless Hospitals, NOC(Network Operation Center), Backbone links and connections with external, Universities, Syzefxis etc.

These graphs help technical managers to identify malfunctions, increased traffic (which may under certain circumstances be due to attacks), as well as maintain statistics for fault prevention, equipment replacement, etc. The data that they derive from the NICTE (via SNMP) is data passing through the routers managed by the NICTE (routers).

The website they are reporting was hit by a large-scale cyber attack, https://trapeza.iep.edu.gr administered by the Institute of Education Policy.

The Institute of Education Policy (IEP) is a scientific body that supports the Ministry of Education and Culture on issues related to Primary and Secondary Education, as well as the transition from Secondary to Higher Education. It advises or recommends upon a relevant request from the Minister of Education and Religious Affairs or ex officio, according to the provisions of para. (a) of para. (3) of Article 2 of Law No. 3966/2011, as in force.

During the "large-scale cyber attack" we tried to determine the connection path to the server trapeza.iep.edu.gr

We find that the internet connection to the server passes through the above routers (gnt14-1902.louros.grnet.gr) and lourdcfs1-eier-1.backbone.grnet.gr). Therefore any attempt to connect to the server goes through this route.

Εν συνεχεία αναζητήσαμε τους ανωτέρω δρομολογητές (routers) στο σύστημα καταγραφής/monitoring  του GRNET https://mon.grnet.gr

Weekly Load to the router lourdcfs1.grnet.gr
Monthly Load to the router lourdcfs1.grnet.gr
Internet Traffic Load in the time period in question (packets/seconds)
Weekly Motion Graph (bits/seconds)
High load of online Movement 26-27 May.
Φόρτος Διαδικτυακής Κίνησης (εβδομαδιαίο) – Hosted VMs

Φόρτος Διαδικτυακής Κίνησης (εβδομαδιαίο) – Hosted VMs

The set of web traffic MRTG diagrams (Multi Router Traffic Grapher) regarding hosted sites can be seen here:

https://mon.grnet.gr/rg/search/

Επιλέξαμε την οπτική απεικόνιση εβδομαδιαία (week) αλλά και μηνιαία για στατιστικούς λόγους όπου  προκύπτουν τα παρακάτω συμπεράσματα:

  • it is obvious that the total traffic from the router/firewall in question, which served trapeza.iep.edu.gr was increased και 26-27 Μαΐου αλλά και 29-30. Υπήρχαν και άλλες περίοδοι επίσης όπου παρατηρείται υπεραυξημένη κίνηση. Δεν απασχόλησε όμως κανέναν όπως φαίνεται…
  • In the monthly distribution we find that there are fluctuations in internet load but nothing remarkable
  • According to expert opinions, the 5.1Gb data volume from the routers is not a particularly increased traffic for critical infrastructure and is absolutely justified for the time of the exams taking into account that a large number of connections will be made to retrieve subjects from local schools.
  • Even if it is a cyber-attack, it is obvious from the charts that a corresponding volume internet traffic was detected by the GRNET monitoring system,
    on 26-27 May and several times during the year (e.g. Week18/Week19). So why did the officials then NOT talk about a cyber attack or did not take the necessary measures but only discovered the finding of the cyber attack on the day when thousands of students are trying to compete in their schools?
  • The caretaker government press releases mention 280,000 connections/second. They also report millions of requests from 140 countries. This is not reflected, nor is the specific number anywhere in the publicly available figures from the NSI. From the official statistics of the operator it is not possible to determine in any way the numbers reported.

SecNews from the first moment of the cyberattack has been asking for technical data to be posted to indicate the details of the attack, something that has not happened so far.

If EDYTE has additional data regarding the volume of traffic it received and is NOT reflected in the official statistics of mon.grnet.gr, it would be worthy of disclosure.

Moreover, GRNET/EDETE knowing exactly the topology of the routers and the traffic they transit during the attack could post the relevant diagrams

DDoS attack theme bank: Remedial actions and measures without impact;

The consequences of such an attack are numerous and can include loss of public trust, financial losses from temporary suspension of services and disclosure of sensitive data. The threat of DDoS attacks to organisations and businesses is not only the disruption of their operations, but also the potential to be used as a diversion for other, more aggressive cyber-attacks.

From the moment the "cyber attack" issue was made public, the Theme Bank reportedly worked with a specific company to stop the attack and restore its operation (AKAMAI). We speculate that the goal is to install a DDoS prevention system to prevent future attacks and enhance their cyber attack resilience. However, even this was done incorrectly. While the AKAMAI service was activated (usually these companies undertake the prevention of cyber-attacks in exchange for support contracts in the future - we did not find any relevant commission in the DATA) the setup chosen was not optimal.

  • Attackers having captured the threat landscape of the organization even if ddos mitigation service was enabled, can easily bypass it by simply targeting the IP address directly and not the DNS hostname (trapeza.iep.edu.gr). Ακόμα και αν οι αρμόδιοι άλλαζαν την IP διεύθυνση, εχει παρατηρηθεί οι χάκερς να στοχοποιούν τον router που δίνει διαδίκτυο στην εν λόγω υπηρεσία και με αυτό τον τρόπο μπορούν να προκαλέσουν το ίδιο ακριβώς αποτέλεσμα. Για πολλές ώρες η IP διεύθυνση του εξυπηρετητή trapeza.iep.edu.gr ήταν ορατή στον καθένα και δεν είχε “αποκρυφθεί” ορθώς απο το CDN της ΑΚΑΜΑΙ
  • Access to iep.edu.gr could be allowed EXCLUSIVELY and ONLY from Greek IP addresses. Secnews conducted an access survey from multiple IP addresses such as Egypt, Turkey, China, USA and the platform was visible. Since the service in question only concerns Greek schools there was no reason for it to be visible from the entire internet. Unless the teachers interested in the Subject Bank are based in countries such as Russia/China or other (outside the Greek territory)
  • While GRNET/EDYTE has engineers with high expertise and all the necessary technological equipment, it seems that those who decide to create these services do not take into account the opinion of technocrats, providing services and platforms with significant logical flaws.

DDoS attack Theme Bank: Final thoughts on the cyber attack

Cybersecurity is a necessary investment in the modern age. The DDoS attacks is just one of the many tools available to cybercriminals. Organisations must take proactive measures to protect themselves and their data from such attacks. Preparation and education are key to dealing with this cyber threat.

At the Subject Bank, we suspect that the incident is due

A) solely on the lack of complete preparation for similar incidents

B) the non-optimal use of GRNET/EDYTE resources

C) the incorrect logical design of the application

D) Failure to use existing data (since we found that there was increased traffic days before the incident)

E) The complete lack of a plan and training of the operators on how to deal with similar situations and the absence of a plan-b

We note that the prosecutor of the Supreme Court, Isidoros Doyiacos, ordered an investigation with the assistance of the Cybercrime Division, as the Ministry of Education complains of a cyber attack. According to Doyakos' order, the relevant agencies may also proceed with seizures of computers and other data in order to investigate complaints of an attack by hackers. 

LastHint: We are talking about (Security) Greece 2.0 and technological revolution. But let's start the technological revolution by installing an SSL Certificate. With a simple visit to the official website of the Institute of Educational Policy (http://www.iep.edu.gr) they have not even activated the SSL known to all of us. If someone visits the website with SSL he receives a message that the website was not found. Security above all!

The SecNews technical investigation into the cyber-attack incident at the Subject Bank continues. Stay tuned.