Copycat Hacking Groups Launch DDoS AttacksAkamai: Extortionists Target Financial Firms, Use APT Group Personas
Copycats using well-known threat actor names, such as Fancy Bear and Armada Collective, are launching extortion campaigns tied to distributed denial-of-service attacks against financial institutions, according to Akamai's Security Intelligence Research Team.
"We believe these are copycat actors leveraging the names in order to scare the targeted victims into paying," Steve Ragan, a security researcher with Akamai, tells Information Security Media Group.
About a dozen of these DDoS attacks have taken place in the U.S. and U.K. since the start of the month, Ragan says. Akamai is not aware of any organizations that have paid a ransom after being threatened with or hit by a DDoS attack. And it says it has not yet determined what groups are actually behind the campaign.
Fear As Extortion Tactic
Ragan notes the extortion emails Akamai has analyzed contain typos and language that suggest they were written by attackers other than the two major APT groups whose names they are using.
"Normally, you see extortion demands come from a basic template letter that is augmented to include target specific data such as domain names or IP addresses, but in this case, it appears as if someone is touch typing the letters, given the nature of the typos themselves," Ragan says.
Akamai supplied excerpts from two ransom notes.
- "If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time." - Armada Collective
- "...your websites and other connected services will be unavailable for everyone. Please also note that this will severely damage your reputation among your customers. [...] We will completely destroy your reputation and make sure your services will remain offline until you pay. " - Fancy Bear
The Attackers' Methods
Each attack is preceded by an email sent to the victim explaining it will be hit with a DDoS attack if the ransom is not paid by a preset date. If the victim declines to pay the attackers by that time, a five-bitcoin per day penalty is applied until the deadline is reached. At that point an attack is launched, Akamai says.
"The letters identify targeted assets at the victim's organization and promise a small 'test' attack to prove the seriousness of the situation. Some of the ransom letters claim the threat actors have the power to unleash a DDoS attack of up to 2 TBps," the report says.
So far, however, the DDoS attacks seen in the campaign have registered a maximum of 50 GB/sec, Akamai reports.
"The traffic consisted of a UDP-based, ARMS protocol reflection attack; the number of reflectors used is unknown at this time," according to the report.
Akamai is recommending anyone who receives a threat to not pay the ransom because there is no guarantee the attacks will end after payment is made.
Fancy Bear and Armada Collective
While the real Armada Collective has been largely silent since 2017, the Russian-government Fancy Bear hacking group is continuing to deploy new methods against a range of targeted victims.
Earlier this month, the U.S. National Security Agency and the FBI issued a joint alert noting that Fancy Bear, which is also known as APT28 and is part of the military unit 26165 of the Russian General Staff Main Intelligence Directorate, or GRU, has recently begun deploying new malware that targets Linux systems (see: Alert: Russian Hackers Deploying Linux Malware).