Extortionists Claiming to be APT Groups Threaten DDoS Attacks

Summary

Threat actors, claiming to be notorious threat groups APT28 and the Armada Collective, are targeting multiple sectors, such as finance and retail, and threatening organizations with distributed denial-of-service (DDoS) attacks. The extortion attempt begins with a threatening email warning of a future DDoS attack against their organization if a ransom is not paid. The threat actors focus on damage to the company’s reputation, and in some instances, claim that the attack will begin immediately if the extortion demand is disclosed publicly. Ransom demands range from 5-20 bitcoin (~$59,000 - ~$237,000) and increase daily if not paid. Researchers assess that the extortion demands are from threat actors simply impersonating well-known threat groups, attempting to use their reputation to intimidate potential victims. Furthermore, the use of DDoS attacks via extortion attempts do not coincide with known tactics, techniques, and procedures (TTPs) of APT groups such as APT28. These extortion attempts are typically not considered credible threats; however, researchers at Akamai Security Intelligence and Threat Research (SIRT) have identified one instance in which a customer was targeted with a 50 GB/sec attack.

Recommendations

The NJCCIC recommends administrators and security operations teams review and update procedures in the event of an attack, using resources such as the National Institute of Standards and Technology’s (NIST) DDoS mitigation techniques . Additionally, we advise organizations that receive an extortion email to not pay the ransom, as circumventing a DDoS attack is not guaranteed, and paying the ransom will further finance future propagation. We encourage users who discover signs of malicious cyber activity to contact the NJCCIC via the Cyber Incident Report form. Further information can be found in the Akamai blog post.