Warning of Serious DDoS Blackmail Campaigns Attributed to Fancy Bear Group

  • Thomas Pohle
  • October 21, 2019

Table of content

    Warning of Serious DDoS Blackmail Campaigns Attributed to Fancy Bear Group

    Since mid-October 2019, companies in the payment, entertainment and retail sectors have been receiving DDoS extortion and blackmail emails which claim to come from the Fancy Bear cyber espionage group. The Link11 Security Operation Center is warning organizations about the DDoS attacks launched by these perpetrators, which primarily target the Origin infrastructure of the companies.

    Since mid-October, companies targeted in this extortion campaign receive emails saying:  “We are the Fancy Bear and we have chosen XXX as target for our next DDoS attack.” While the perpetrator or perpetrators claim to be from Fancy Bear, they have little in common with the Russian hacker group that is supposed to have attacked the internal network of the Bundestag in 2014/2015. But

    The blackmailers are directing their extortion attempts again organizations in the payment, entertainment and retail sectors.  They demand ‘protection money’ of 2 Bitcoin (equivalent to approx. 14,200 euros, as of 23 October 2019), and if payment is not received, they launch an initial warning attack, and warn victims that they have between 2 and 4 days to pay the protection money. If no payment is received at the specified Bitcoin address, another attack is launched at the victim. The extortion e-mails contain victim-specific Bitcoin addresses.

    The extortion emails contain wording which is closely linked to the protection money demands of DDoS blackmailers from spring 2016. Under the name Kadyrovtsy, they had attacked several banks and online marketing companies. Read the full extortion mail.

    Large-Volume Attacks use new DDoS Vectors

    Unlike many DDoS blackmail imitators who bluff, this group claiming to be Fancy Bear doesn’t just leave it at extortion mails. The perpetrator(s) underline the seriousness of their demands with warning attacks of up to 60 Gbps. In the long-lasting demo attacks, the attackers use not only the well-known reflection amplification vectors DNS, NTP and CLDAP, but also two new attack techniques:  WS Discovery and Apple Remote Control.

    Origin Infrastructure under Attack

    A notable feature of these attacks is that they are not aimed at the target organization’s homepage, but at areas in the corporate IT infrastructure which are often inadequately protected. These include, for example, original IP addresses and original servers. Even if companies have implemented DDoS protection, they can be defenceless against the attacks. Only a Site Shield prevents direct access to the company’s Origin infrastructure and protects the origin of websites and applications from overload by DDoS attacks.

    Recommended Protective Action: Secure Original Server

    LSOC advises all companies to check whether their existing DDoS protection covers subdomains and their Origin infrastructure in addition to the domain name. Furthermore, the IP address of their original server should not be accessible directly from the Internet. It is recommended that a Site Shield is implemented for this purpose.

    In order to protect the IT infrastructure as a whole, it is important to check all traffic for DDoS attacks and filter it if necessary. Despite Site Shield and good firewall solutions, perpetrators can attack the infrastructure directly and exhaust the bandwidth.

    The attacked companies should under no circumstances respond to the extortion and instead file a complaint with the law enforcement authorities.

    SSL DDoS Attacks and How to Defend Against Them
    Link11 Intensifies Cooperation with CBC for DDoS Protection