Sunday, 27 September 2020

Warning from Link11 as Aggressive Fancy Bear DDoS Attackers Return

posted by Link11
Friday 21 August 20

Link11, European leader in cyber-resilience, is warning of a rise in DDoS extortion and large-scale DDoS attacks carried out by blackmailers under the alias ‘Fancy Bear.’ Since the 12th August, companies have been receiving extortion emails from a sender under the name of ‘Fancy Bear.’ These emails have included the subject line…

Link11, European leader in cyber-resilience, is warning of a rise in DDoS extortion and large-scale DDoS attacks carried out by blackmailers under the alias ‘Fancy Bear.’

Since the 12th August, companies have been receiving extortion emails from a sender under the name of ‘Fancy Bear.’ These emails have included the subject line: ‘DDoS attacks on your network.’ In the email the perpetrators have been demanding 15 Bitcoins, which, as of August 19th, is worth almost 150,000 Euros. Based on findings from the Link11 Security Operations Center (LSOC), the blackmail has been targeted at companies across various industries, although operators of critical infrastructures seem to be increasingly targeted.

This corresponds with the assessment made by the World Economic Forum (WEF), which in its Global Risk Report 2020, found cyberattacks on critical infrastructures operators to be one of the top five global risks, calling them a "new normality".

In October 2019, the ‘Fancy Bear’ blackmailers threatened DDoS attacks to put pressure on companies in order to obtain Bitcoins. The blackmail emails from last autumn and those from the current wave are largely identical in text. The Bitcoin addresses have been changed so the attackers can check who has paid. According to the email, targeted companies have seven days to transfer the Bitcoins.

To stress the seriousness of their demands, the blackmailers have been launching warning attacks, which have been characterized by very high bandwidths and a long-lasting, high intensity. According to the attackers, however, these are only intended to provide a warning of what is to come if the ransom is not paid. If no Bitcoins are transferred, they threaten attacks of over 2,000 Gbps.

Attacks that were successfully fended off by LSOC for a KRIITS operator reached multiple/several hundred Gbps and lasted several hours. The attacks were based on UPD Floods, TCP Floods and SYN Floods. To increase the attack volume, the perpetrators relied on the Reflection Amplification vectors DNS, Apple Remote Control, and WS-Discovery.
Marc Wilczek, COO of Link11 said: “In view of the aggressive nature of these perpetrators, organizations need to take these threats seriously. As soon as they receive an extortion email, they should proactively activate their DDoS protection solution. If the solution is not designed for high volume attacks of 50 Gbps and more, it is important to find out how the company-specific protection bandwidth can be increased in the short term.

“We advise targeted companies not to respond to the blackmail and instead report the attack to the national or local law enforcement authorities.”


View more of the latest press releases from across the industry or post your company's news.

Since you're here...

...the Telecoms industry is characterised by constant change and evolution. That's why it's crucial for telecoms professionals to keep up-to-date with what is happening. Join 35,000+ of your peers and sign up to our free newsletter service today, to be in the know about what is going on. PLUS, as a member you can submit your own press releases!

See all membership options

Please enable JavaScript to view the comments powered by Disqus.

Newsletter signup

Quickly get on board and up to date with the telecoms industry