Fancy Bear Imposters Are On A Hacking Extortion Spree

Fancy Bear imposters are on a hacking extortion spree

Ransomware attacks that tear through corporate networks can bring massive organizations to their knees. But even as these hacks reach new popularity highs—and new ethical lows—among attackers, it’s not the only technique criminals are using to shake down corporate victims. A new wave of attacks relies instead on digital extortion—with a side of impersonation.

On Wednesday, the Web security firm Radware published extortion notes that had been sent to a variety of companies around the world. In each of them, the senders purport to be from the North Korean government hackers Lazarus Group, or APT38, and Russian state-backed hackers Fancy Bear, or APT28. The communications threaten that if the target doesn’t send a set number of bitcoin—typically equivalent to tens or even hundreds of thousands of dollars—the group will launch powerful distributed denial of service attacks against the victim, walloping the organization with a fire hose of junk traffic strategically directed to knock it offline.

This type of digital extortion—give us what we’re asking for and we won’t attack you—has resurfaced repeatedly throughout the last decade. But in recent months, criminals have attempted to capitalize on fear about high-profile nation-state attacks, combined with anxieties related to rising ransomware attacks, to try to make some extra money.

“Like a good salesperson, they follow up on the first message to convince the victim to pay before actually going to the trouble of executing an attack,” says Pascal Geenens, director of threat intelligence at Radware. “Of course, these criminals would prefer the easy money and not having to go through the process of running an attack. However, if the threat actors want to keep their campaign credible, not attacking is not an option.”

Though the attacks don’t seem to target certain regions in particular, Radware did find that hackers tended to pose as Lazarus Group when attempting to extort money from financial organizations and as Fancy Bear when threatening technology and manufacturing victims.

In another recent example, researchers from the security firm Intel471 reported on Tuesday that hackers pretending to be Lazarus Group sent an extortion letter to the currency exchange company Travelex in late August. Attackers demanded 20 bitcoin (more than $200,000 at the time) and said that the ransom would increase by 10 bitcoin for every day that elapsed after the initial deadline. Travelex had previously suffered a damaging ransomware attack on New Year’s Eve and reportedly paid hackers $2.3 million to decrypt the data.

“It’s a small price for what will happen when your whole network goes down,” the extortion DDoSers wrote in their email to Travelex. “Is it worth it? You decide!”

Travelex didn’t pay the ransom this time and instead weathered a DDoS attack the hackers launched as a sort of warning shot and then a second barrage. “Whoever’s behind this probably thought that Travelex must be a soft target based on what happened at the beginning of the year,” says Greg Otto, a researcher at Intel471. “But why would you hit a company that has probably gone through the effort to shore up their security? I understand the logic, but also I just think there are holes in that logic.” Travelex did not return a request from WIRED for comment about the August extortion attempt.

Extortion DDoS attacks have never been especially profitable for scammers, because they don’t have the visceral urgency of something like ransomware, when the target is already hobbled and may be desperate to restore access. And though this has always been a weakness of the strategy, the threats are potentially even less potent now that robust DDoS defense services have become widespread and relatively inexpensive.

“Generally speaking, DDoS as an extortion method isn’t as profitable as other types of digital extortion,” says Robert McArdle, director of forward-looking threat research at Trend Micro. “It’s a threat to do something as opposed to the threat that you’ve already done it. It’s like saying, ‘I might burn your house down next week.’ It’s a lot different when the house is on fire in front of you.”

Given the spotty effectiveness of extortion DDoS, attackers are invoking the notorious state-backed hacking groups in an attempt to add urgency and stakes. “They’re fear-mongers,” says Otto. And the attacks likely work at least occasionally, given that attackers keep returning to the technique. For example, Radware noted that in addition to impersonating Fancy Bear and Lazarus Group, attackers have also been going by the name “Armada Collective,” a moniker that extortion DDoS actors have invoked numerous times in recent years. It’s unclear whether the actors behind this incarnation of Armada Collective have any connection to past generations.

Though most organizations with resources for digital defense can protect themselves effectively against DDoS attacks, researchers say it’s still important to take these threats seriously and actually invest in strong protections. The FBI reinforced this message in a bulletin at the beginning of September about actors pretending to be Fancy Bear. It reported that at the beginning of August, thousands of institutions around the world began receiving extortion notes.

“Most institutions that reached the six-day mark did not report any additional activity or the activity was successfully mitigated,” the FBI wrote. “However, several prominent institutions did report follow-on activity that impacted operations.”

While the attacks may not be as crippling for most targets as ransomware can be, they still pose a nagging threat to organizations that don’t have adequate DDoS defenses in place. And with so many other types of threats to navigate, it’s easy to imagine that the scare tactics could work often enough to make it all worth attackers’ while.

This story originally appeared on wired.com.

READ MORE HERE