Red Sky Alliance analysts detected Fancy Bear impersonators targeting a US county election information website. Their DDoS ransom note claims they will take the site down one day before the election if not paid in Bitcoin. This year we see an uptick of similar impersonation emails claiming to be from Fancy Bear, Lazarus Group, or Armada Collective hackers.
Details: Florida Vote Case
Election support infrastructure being vulnerable to ransomware attacks is widely discussed. But sites going down due to a distributed denial of service (DDoS) attack is also a concern. Real DDoSers and those impersonating famous hackers try to exploit the fear of DDoS.
Figure 1. Fancy Bear impersonation DDoS note sent to a US county Supervisor of Elections (SOE)
Red Sky Alliance detected a ransom note sent on October 24, 2020 (Figure 1). This note is directed to a Florida county Supervisor of Elections (SOE). The impersonator claims that the county site showing voting information will be taken down one day before the US Presidential Election if not paid. The letter demands $1,100 being sent to the Bitcoin address:
“The current fee is $1100(USD) in bitcoins (BTC). The fee will increase by 1000 USD for each day after 2020 November 2nd that has passed without payment. Please send Bitcoin to the following Bitcoin address (cAsE-SeNsitIve): 19jzN84BmswK9FbxD9QYsKCSZiukRN9ehL”.
The email also says there will be a warning 30 minutes attack on the website to prove they are capable of DDoS (Figure 1).
Wired: Ransom DDoS and Impersonation Background
There is a growing wave of impersonation emails where – just like in the case with the voting-related site above – hackers claim to be from a famous hacker group such as Fancy Bear. A new wave of corporate attacks relies on digital extortion with a side of impersonation. Who can you believe? A real hacker or a hacker poser?
Recently, the web security firm Radware published historical examples of extortion notes that had been sent to a variety of companies around the world. In each of them, the senders purport to be from the North Korean government hackers Lazarus Group (APT38), and Russian state-backed hackers Fancy Bear (APT28), or Armada Collective. The communications threaten that if the target doesn’t send a set number of bitcoin typically equivalent to tens or even hundreds of thousands of dollars the group will launch powerful DDoS attacks against the victim, walloping the organization with a fire hose of junk traffic strategically directed to knock it offline.
According to Wired, this type of digital extortion – give us what we’re asking for and we will not attack you – has resurfaced repeatedly throughout the last decade. But in recent months, criminals have attempted to capitalize on fear about high-profile nation-state attacks, combined with anxieties related to rising ransomware attacks, to try to make some extra money.
“Like a good salesperson, they follow up on the first message to convince the victim to pay before actually going to the trouble of executing an attack,” says Pascal Geenens, director of threat intelligence at Radware. “Of course, these criminals would prefer the easy money and not having to go through the process of running an attack. However, if the threat actors want to keep their campaign credible, not attacking is not an option.”
Though the attacks don’t seem to target certain regions, in particular, Radware did find that hackers tended to pose as Lazarus Group when attempting to extort money from financial organizations and as Fancy Bear when threatening technology and manufacturing victims.
In another recent example, researchers from the security firm Intel471 reported on Tuesday that hackers pretending to be Lazarus Group sent an extortion letter to the currency exchange company Travelex in late August. Attackers demanded 20 bitcoin (more than $200,000 at the time) and said that the ransom would increase by 10 bitcoin for every day that elapsed after the initial deadline.
Travelex had previously suffered a damaging ransomware attack on New Year’s Eve and reportedly paid hackers $2.3 million to decrypt the data. “It’s a small price for what will happen when your whole network goes down,” the extortion DDoSers wrote in their email to Travelex. “Is it worth it? You decide!” Travelex didn't pay the ransom this time, and instead weathered a DDoS attack the hackers launched as a sort of warning shot and then a second barrage. “Whoever’s behind this probably thought that Travelex must be a soft target based on what happened at the beginning of the year,” says Greg Otto, a researcher at Intel471. “But why would you hit a company that has probably gone through the effort to shore up their security? I understand the logic, but also I just think there are holes in that logic.” Travelex did not return a request from WIRED for comment about the August extortion attempt.
Extortion DDoS attacks have never been especially profitable for scammers, because they don’t have the visceral urgency of something like ransomware, when the target is already hobbled and may be desperate to restore access. And though this has always been a weakness of the strategy, the threats are potentially even less potent now that robust DDoS defense services have become widespread and relatively inexpensive.
Generally speaking, DDoS as an extortion method isn’t as profitable as other types of digital extortion,” says the director of forward-looking threat research at Trend Micro. “It’s a threat to do something as opposed to the threat that you’ve already done it. It’s like saying, ‘I might burn your house down next week.’ It’s a lot different when the house is on fire in front of you.”
Given the spotty effectiveness of extortion DDoS, attackers are invoking the notorious state-backed hacking groups in an attempt to add urgency and stakes. “They’re fear-mongers,” says Trend Micro. And the attacks likely work at least occasionally, given that attackers keep returning to the technique. For example, Radware noted that in addition to impersonating Fancy Bear and Lazarus Group, attackers have also been going by the name “Armada Collective,” a moniker that extortion DDoS actors have invoked numerous times in recent years. It’s unclear whether the actors behind this incarnation of Armada Collective have any connection to past generations.
Though most organizations with resources for digital defense can protect themselves effectively against DDoS attacks, researchers say it is still important to take these threats seriously and actually invest in strong protections. The FBI reinforced this message in a bulletin at the beginning of September about actors pretending to be Fancy Bear. It reported that at the beginning of August, thousands of institutions around the world began receiving extortion notes.
“Most institutions that reached the six-day mark did not report any additional activity or the activity was successfully mitigated,” the FBI wrote. “However, several prominent institutions did report follow-on activity that impacted operations.”
Coming back to the targeted voting information website, we can see that the ransom demand is much smaller than the typical ransom demand for corporations. It is very likely that the Fancy Bear identity is an impersonation, as ransom DDoS is not a known TTP for that Russian APT group.
Six days before the election date, close to half of the active eligible voters in the affected county have already cast their ballots. Still, the voter information site potentially going down could be of a concern, yet, it is highly advised not to pay any ransom DDoS extortions. Typically, the actors behind these emails don’t have the DDoS power they claim to have.
Even if hackers would be able to cause some interruptions with a short, weak 30 minute DDoS; ignoring their demands and then increasing your DDoS protection are advisable courses of action. According to the FBI, the ransom notes in 2017 and 2019 were nearly identical to those in the 2020 incidents, and in most cases, the extortion email was followed by no DDoS activity or by activity that was easily mitigated.
While the DDoS attacks may not be as crippling for most targets as ransomware can be, they still pose a nagging threat to organizations that don't have adequate DDoS defenses in place. And with so many other types of threats to navigate, it's easy to imagine that the scare tactics could work often enough to make it all worth attackers' while.
Red Sky Alliance has been analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.
The installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
What can you do to better protect your organization today?
- All data in transmission and at rest should be encrypted.
- Proper data back-up and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication company-wide.
- Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cybersecurity software, services, and devices to be used by all at home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network. Ransomware protection is included at no charge for RedXray customers.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941