CyberWarfare / ExoWarfare

Cybercriminals Impersonate Russian APT ‘Fancy Bear’ to Launch DDoS Attacks

Attacks are targeting international companies in the financial sector, demanding that victims pay ransom in Bitcoin.

Cybercriminals posing as the Russian APT group Fancy Bear have been launching DDoS attacks against companies in the financial sector and demanding ransom payments, according to a new report.

The large-scale, multi-vector DDoS attacks come with accompanying ransom letter. They started about a week ago against financial companies mainly located in Singapore, South Africa, and some Scandinavian countries, according to the report, which also published a copy of the ransom letter.

The group, which appears to actually own a DDoS botnet, is asking victims for payments of two Bitcoin. On Monday morning, one Bitcoin was selling for about $9,300.

The attacks also demonstrate that the group is doing its research when it comes to victims, according to the report. Rather than attack victim websites, the group is going after back-end servers, which aren’t usually protected by DDoS mitigation systems and thus have a good chance at causing system downtime, the report noted.

Three security companies—Link11, Radware and Group-IB—confirmed the attacks, according to the report. The first two provide DDoS mitigation services, while the third provides cybersecurity services to the financial sector.

“Fancy Bear” is perhaps most well-known for its hack of the Democratic National Committee during the 2016 election; it also hit the committee’s site again, hacked Republican think-tanks, and spread fake social media sites leading up to the U.S. midterm elections in 2018.

More recently, Fancy Bear was seen trying to influence the May elections in the European Union (EU) as part of a history of attempting to get involved in elections there. The group also was responsible for hacking and disinformation attacks during the French and German presidential elections in 2017. Generally, the group’s aim seems to be to create chaos and discord in democratic processes by using cyber-espionage and influence campaigns.

Impersonators are common when a hacking group proves successful at cybercriminal activity, as other bad actors like to take advantage of the notoriety of an existing group to mount their own attacks. This impersonation seems slightly off the mark, however, as neither the type of attacks nor targets are consistent with Fancy Bear’s typical mode of operation.

Indeed, impersonation often is a clear sign that hackers “don’t have the skills or the firepower of a group who can actually cause damage,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.

“Most of the time, botnets for DDoS attacks are rented for a fee,” he said in an email to Threatpost. “The more funds you have, the more serious a threat you can pose, within some limits.”

Hahad encourages those targeted by the Fancy Bear impostors to not pay the ransom, for two reasons. One is that “it will only finance the cyber-gang for future operations,” and the other is that the victim becomes known as “a target that pays at the first threat,” he said.