This attack is delivered in two phases:
Phase 1: Email
The target company receives an email stating “We are the Fancy Bear and we have chosen [Company Name] as a target for our next DDoS attack,” In the email the attackers give a deadline for when the major DDoS attack will occur demanding a ransom to prevent it.
Phase 2: Demonstrative DDoS
To make the campaign more believable and to prove their intentions and capabilities, the attackers may initiate a warning or demonstrative attack against an IP address belonging to the companies’ network. These attacks generally last around 30 minutes.
So far CERT NZ has not seen any evidence to suggest that the attackers follow through with the major attack on the deadline provided in the email.
The attackers are using a variety of reflective DDoS techniques, with targets including services using the following protocols:
- Hyper Text Transfer Protocol (HTTP)
- Web Service Dynamic Discovery (WSD)
- Apple’s Remote Management Service (ARMS)
- Simple Service Discovery Protocol (SSDP)
- Network Time Protocol (NTP)
- Domain Name System (DNS)
- Lightweight Directory Access Protocol (LDAP)
- SYN and Internet Control Message Protocol (ICMP)
If you have internet facing systems that expose these protocols, you could be targeted.
This campaign uses very similar tactics to a previous extortion campaign observed in 2017. In both campaigns attackers have claimed to be members of known state-sponsored hacking groups (e.g. Fancy Bear, Cozy Bear), but CERT NZ does not believe that the attackers are in any way affiliated with these organisations.