The ICT sector in the countries of North Africa is well developed, with Morocco leading the continent in internet usage at 92.2%, followed by Libya at 88.5% and Tunisia at 84.9%. It should come as no surprise then that the region’s ICT sector also recorded significant distributed denial of service (DDoS) attack activity as a rising trend during the second half of last year. This is according to the recently released NETSCOUT Threat Intelligence Report for July to December 2024, which again exposes a sophisticated and varying DDoS scenario across Morocco, Tunisia, Algeria and Libya.

Regional director for Africa at NETSCOUT, Bryan Hamman, notes: “The data, as analysed from the second Threat Intelligence Report for 2024, underlines a rapidly evolving DDoS threat landscape across North Africa, within which, in line with the situation in other parts of the continent, we are seeing increasingly advanced attacks on targeted sectors, particularly within the telecommunications and digital landscapes.”

Morocco once again recorded the highest number of DDoS attacks in the region, and in addition registered more strikes than it had experienced during the first half of the year. Tunisia also saw a spike in incidents, with its number almost doubling from the first half of the year. Libya topped the list of the highest number of vectors used during a single attack, while Algeria was the only country in the region where the recorded DDoS attacks decreased from the first half of the year. 

Adding to this, Hamman clarifies: “The NETSCOUT Threat Intelligence Report shows that wired telecommunications providers placed at or near the top of the most affected sectors in all four countries, with attacks on other telecommunications providers, including wireless but excluding satellite, also ranking highly.

“One of the primary ways threat actors monetise DDoS attacks is by threatening organisations with prolonged downtime unless a ransom is paid. Because the disruption of telecommunications services has a widespread impact, this makes it an attractive target for cybercriminals, due to its vast infrastructure, which underpins internet and communication services for both consumers and organisations.”

Besides wired and wireless telecommunications providers, other industries that suffered notable numbers of DDoS attacks within the North Africa region included web search portals and all other information services, computing infrastructure providers, the gasoline and natural gas industries, and shoe retailers, showing the planned targeting of particular industries per country.

Dominant vector types used in largest attacks

DDoS threat actors have various vectors within their arsenal. Libya recorded the use of 22 different vector types in a single incident, followed closely by Morocco, which experienced a multi-vector attack comprising 21 different vector types. Tunisia and Algeria trailed with 16 and six vector types in a multi-vector attack, respectively.

When looking at the prominent multi-vector attacks mentioned above, we find the following vector types being used including (but not limited to) the following:

·       Libya: DNS, DNS Amplification, ICMP, ISAKMP, L2TP Amplification, MS SQL RS Amplification, NTP Amplification

·       Morocco: CLDAP Amplification, DNS, DNS Amplification, ICMP, Jenkins Amplification, MS SQL RS Amplification, NTP Amplification

·       Tunisia: CLDAP Amplification, DNS, DNS Amplification, ICMP, NTP Amplification, NetBIOS Amplification, QOTD Amplification

·       Algeria: DNS, DNS Amplification, UDP, WS-DD Amplification

Bandwidth and throughput

Morocco experienced the largest attack recorded via bandwidth and throughput. The attack of 232Gbps / 50.19 Mpps outlined below is greater than the previous largest attack recorded in North Africa in the first half of 2024 (also in Morocco), which registered 210.65 Gbps and 20.38 Mpps. 

“The message is clear,” says Hamman, “in that we are seeing malicious actors continuously prepared to ‘up the ante’ and throwing everything into their arsenal during a planned and prolonged attack.”

·       Morocco: 232Gbps / 50.19 Mpps

·       Tunisia: 224.33Gbps / 21.2 Mpps

·       Libya: 172.68Gbps / 27.46 Mpps

·       Algeria: 71.93Gbps / 6.91 Mpps

Morocco: Still the cybercriminal’s main regional DDoS target

Morocco recorded 69,836 DDoS attacks, which was up quite considerably from 61,000 attacks over the first half of 2024.

Morocco was also the only country in which wireless telecommunications carriers (except satellite) was listed as the most targeted segment on the DDoS onslaught list, with 16,140 attacks. This is slightly down from the first half of the year, when this sector saw a total of 16,461 incidents. Attacks on wired telecommunications carriers came in second, with a total of 6,483, which was up from 6,022 for this sector over the first half of the year. We can see that both wireless and wired telecommunications carriers remain the primary focus for threat actors within the country.

The third most targeted sector during this period was shoe retailers for the second consecutive time, reflecting 63 incidents (down from 81 for H1 2024), with attacks on computing infrastructure providers (28), and web search portals and all other information services (23), rounding out the top five sectors most embattled in Morocco.

Sizable increase in Tunisian DDoS attacks  

The fact that DDoS attacks on Tunisia increased considerably possibly reflects its status as a burgeoning ICT hub within the region. We see 8,692 DDoS attacks for the second half of 2024, as compared to a total of 4,511 for the first half of the year. Most attacks (8,363) were once again targeted at wired telecommunications carriers, with web search portals and all other information services coming in next, at 259 attacks, and attacks on wireless telecommunications carriers (except satellite) coming in a distant third, at just 15 attacks.

“It is interesting to compare bombardments on wired and wireless telecommunications carriers for H2 to those same numbers for H1,” says Hamman. “Attacks on wired telecommunications carriers rose from 3,529 (H1) to 8,363, which was more than double. In contrast, those on wireless telecommunications reduced significantly, from 574 attacks in H1 to 15 in the second half of the year.” 

DDoS attacks rise in Libya as complexity and sophistication also increases

Libya experienced notably fewer DDoS attacks in H2 2024 when compared to Morocco and Tunisia, with a total tally of 1,635 attacks. However, this number was slightly up in volume from the 1,576 attacks that took place during the first half of 2024. 

“It is also worth noting that, while Libya’s total number of DDoS attacks is far lower than those of Morocco, it still faced the highest number of vectors in a single attack across the region, at 22,” notes Hamman.

“In addition, we observed strikes on critical infrastructure,” he adds, “with one aimed at a natural gas extraction plant, and 22 attacks on gasoline stations, once more underscoring the trend by cybercriminals to focus on specific types of target per country as well as region. This type of target could also potentially reflect a geo-political motive rather than being purely financial.”

Algeria sees its DDoS incidents drop by around half

Having again experienced the fewest DDoS attacks of the four North African countries, Algeria also saw a substantial drop in H2 2024. 

Algeria recorded 275 attacks in the second half of 2024, down by around half when compared to 452 over the first half of the year. The H2 attacks, consistent with a major trend across the region, almost exclusively affected wired telecommunications organisations with a tally of 205, with a maximum attack bandwidth of 4.37Gbps and an average duration of 12 minutes. 

The other main attacks (30) took place largely across all other forms of telecommunications companies across the country, with a far larger attack bandwidth (71.93 Gbps) recorded, but a shorter average attack duration of nine minutes.

Telecommunications: A lucrative target for DDoS threat actors 

“Across the four countries, we saw lower DDoS attack volumes, but evolving and increasingly intricate threats, with the DNS Amplification, ICMP, NTP Amplification and CLDAP Amplification vectors among the commonly used attack vectors, as well as a concerning trend toward more calculated and industry-specific campaigns,” says Hamman.

He notes that North Africa is continuing to ramp up its efforts to improve its digital and communications access for all citizens, through such initiatives as the implementation of the EU-backed Medusa project, which will establish an 8,700 km submarine fibre optic communications cable linking North African countries to Southern Europe.  

“As communications infrastructure continues to be implemented within the region, it is imperative for countries in North Africa to remain vigilant about protecting their vital telecommunications industry from potential DDoS attacks.Organisations must defend against data breaches, and sovereign states should encourage and reward the practice of such defences, which today can also have an impact at a national level. Being proactive is key in defending against today’s ultra-sophisticated, immensely powerful multi-vector and layered attacks,” he concludes.