Note Distribution: TLP: WHITE (Recipients may share TLP: WHITE information without restriction, subject only to standard copyright rules.)
Contributors: Alexander Cockburn, Carl Neenan, Gareth Tomlinson, Mary Hartzell, Shawn Razavi
Starting in mid-August 2020, a relatively prolific threat actor initiated a global campaign of DDoS extortion attacks largely directed towards regional financial and travel-industry targets such as regional banks, stock exchanges, travel agencies, currency exchanges, and, in some cases, their upstream internet transit providers. These attacks are characterized by the attacker initiating a demonstration DDoS attack against selected elements of the targeted organization’s online services/application delivery infrastructure, followed by an emailed extortion demand for payment via Bitcoin (BTC) cryptocurrency. The extortion demands typically state that the attacker has up to 2 Tbps of DDoS attack capacity at the ready, and threatens follow-up attacks if the extortion payments aren’t transmitted to the attacker within a set period of time.
In many cases, when the extortion demands aren’t met, the threatened follow-up attacks do not occur, and the attacker moves on to another target. In some cases, the attacker elects to persist in attacking the targeted organization, including its upstream transit provider(s).
The threat actor responsible for this attack campaign typically claims to be affiliated with well-known, labeled attack groups discussed in industry media; this is done in hopes of bolstering their credibility with the extortion targets. Examples of asserted affiliation include ‘Fancy Bear,’ ‘Lazarus Group,’ and ‘Armada Collective’ (the latter being the only one of the claimed identities known to be affiliated with DDoS attack campaigns). Many would-be extortionists simply send out emailed extortion demands under the names of these various groups; the threat actor behind this campaign does in fact actually launch DDoS attacks against the targeted organizations, although threatened follow-up attacks often fail to materialize.
The primary attack vectors observed in this campaign are DNS, ntp, ARMS, WS-DD, SSDP, and CLDAP reflection/amplification; spoofed SYN-flooding; GRE and ESP packet-flooding; TCP ACK-floods; and TCP reflection/amplification attacks. In some cases, the attacker has also made use of other, infrequently-used IPv4 protocols to launch packet-flooding attacks, in hopes of bypassing inadequately-scoped networked access policies implemented via router access-control lists (ACLs) and/or firewall rules.
Attack volumes observed over the course of this attack campaign have ranged from 50 Gbps - 200 Gbps, and 150 Kpps - 150 Mpps. While the attacker has claimed to have up to 2 Tbps of DDoS attack capacity, no attacks approaching this magnitude have taken place, to date.
Both the selection of targeted assets as well as the recipients chosen to receive the attacker’s extortion demands are indicative of pre-attack reconnaissance on the part of the threat actor. In multiple instances, critical, yet non-obvious public-facing applications and services were targeted by the attacker.
During extended attacks which include targeting of an organization’s upstream transit ISP(s), the attacker has apparently made use of basic network diagnostic techniques such as running multiple traceroutes in an attempt to identify routers and/or layer-3 switches within the transit ISP network; these network infrastructure devices are subsequently targeted by the attacker.
While in many cases emailed DDoS extortion demands are never viewed by their intended targets due to poor email address selection on the part of the attacker, in this instance, it appears that the threat actor in question has exercised significant due diligence in identifying email mailboxes which are likely to be actively monitored by targeted organizations.