The Link11 Security Operation Center (LSOC) is warning that since Wednesday, 04/19/2017, a new group named XMR-Squad has been extorting German companies with DDoS attacks. Victims include DHL, Hermes, AldiTalk, Freenet, Snipes.com, as well as the State Bureau of Investigation Lower Saxony and the state of North Rhine-Westphalia. The perpetrators are similar to the already-known DD4BC, Kadyrovtsy, and Stealth Ravens blackmail groups and are putting pressure on their victims with demonstration attacks. They declare their claims of protection to be “testing DDoS protection.”
The perpetrators are trying to move into the public eye. In a telephone conversation and via email, they provided the journalist Mark Steier with important information. Steier summarized the information in his German blog post with the title “Ursache der Störung nun bekannt: DHL hatte einen DDOS-Angriff“ (in English “Cause of the disruption now known: DHL had a DDoS attack”) which emphasizes that the reason for the downtime of DHL was a DDoS attack. The LSOC exchanged additional information with Steier and together with him created a brief profile of the perpetrators.
Origin: DDoS blackmail by the hitherto unknown group have only been known since April 19, 2017. Based on the telephone conversation with the perpetrators, Steier assumes that the group has Russian roots.
Single perpetrator/group: By email and on Twitter, the hackers always refer to themselves in the plural.
Name of the perpetrators: XMR is the abbreviation for the decentralized crypto-currency Monero, which places a special focus on privacy.
Victims: The blackmailers are targeting companies from different sectors and different sizes in Germany without any recognizable logic or reason. Thus far, the LSOC is aware of DDoS attacks on the websites of Vodafone, Snipes, Freenet, Hermes, DHL, AldiTalk, and 3DSupply.In addition to the companies, according to the official website of the perpetrators, the State Bureau of Investigation Lower Saxony and the state of North Rhine-Westphalia were also attacked. Currently, XMR-Squad is still concentrating on companies and authorities in Germany. However, an expansion into other European countries can not be ruled out.
Web presence: The perpetrators post information about the (seemingly) successful DDoS attacks on Twitter and on their own hacker website xmr-squad.biz. Their online presence is protected by Cloudflare. In the past few months the American provider of DDoS protection has repeatedly been accused of offering protection for criminal activities as well by lack of examination of new customers.
Asking for protection money: What’s unique about XMR-Squad is that they communicate the attacks as a kind of penetration test and ask for 250 euros for the test: “we’re ‘checking’ your protection :=) & for this we just require € 250 win-win.” (Source: Twitter post). According to LSOC, the amount is relatively low. DDoS blackmailers usually demand an amount of 1 to 5 Bitcoin. According to today’s price, this corresponds to an amount of 1,100 to 5,700 euros.
DDoS tool: It is still unclear whether XMR-Squad has its own DDoS tool or whether the perpetrators commission the attacks with “DDoS-as-a-Service” vendors. However, it is certain that XMR-Squad’s DDoS attacks can have a great impact when they are able to overload the IT infrastructure of large logistics companies.
In the opinion of the LSOC, the blackmailing attempts of XMR-Squad must absolutely be taken seriously, but they should not be responded to. Instead of paying, Link11’s DDoS protection experts recommend to activate existing protection systems or take appropriate protection measures, as well as inform their hosting provider of the blackmail. In addition, companies that are attacked should report their complaints to law enforcement agencies. The Alliance for Cybersecurity provides an overview of the respective reporting points for cybercrime in the individual federal states.