Hacker Group Posing as Fancy Bear Started A DDoS Extortion Campaign

Fancy Bear, one of the world’s more well-known hacker groups, has had an interesting time, it seems. A hacker group, connected to an attack that happened two years ago, has been pretending to be Fancy Bear in a new DDoS Campaign. This group launches a minor DDoS attack as a show of force, before demanding money in return for not waylaying a company’s system. They make use of Fancy Bear’s reputation, known for hacking both the DNC and the White House in 2016 and 2014 respectively, to instill a sense of fear.

The attacks were confirmed today by two security companies: Radware and Link11. Both parties have a specialized DDoS mitigation service and had documented similar attacks in the past.

Daniel Smith, an Emergency Response Team (ERT) researcher for Radware, had stated that the attacks are mainly targeting the financial sector, having started last week. Smith explained that the group was launching multi-vector, large scale DDoS attacks when they send the ransom letters. This was doubtlessly a show of force to try and intimidate the company.

Smith continued by saying that these victims receive a threat for a follow-up DDoS if attack if they don’t pay them the two bitcoin they demand (about $15 000 in today’s market) within a week. However, Smith also stated that no follow-up attack had been seen. Whether this be that their ransom was paid or that they don’t have any foot to stand on remains to be seen.

Link11’s spokesperson corroborated the theory that it served as an initial warning. It was an intimidation attempt to try and convince the companies to pay the ransom rather than to face the fake Fancy Bear’s wrath.

A copy of the ransom letter can be found here . From the contents, it can be gleaned that they are leaning heavily on Fancy Bear’s reputation as hackers to intimidate their prospective victims even further.

Thomas Pohle, Public Relations Manager for Link11, explained that these demo attacks are built through different protocols. Things like NTP, DNS, ARMS, CLDAP, and WS-Discovery are all included. Clearly, the strategy is to hammer at as many walls as possible, trying to find a crack.

Pohle concluded that these extortionists do more than randomly fling out ransoms. They study their target, choosing who to extort in advance. It can be seen in how they attack the companies. Pohle explained that these hackers don’t attack the public website of the company, but their backend server. These backends typically aren’t protected by a form of DDoS mitigation, thus making it easier to target. This attack will cause downtimes and quite possibly intimidate their victims.

Pohle added that it wasn’t purely the financial sector being attacked. Some of these Ransom Denial-of-Service (RDDoS) are aimed at other companies that can be considered to have a large number of funds. Specifically, companies that focus on entertainment and retail.

This Fancy Bear Copycat group seems to be able to follow through on their threats, sad as it is to see. It at least appears that they have their own DDoS botnet, but its level of power is still up for debate.

What should be important to know, however, was that this wasn’t the real Fancy Bear Group. Fancy Bear is a Russian backed group of cybersecurity and espionage elites. They target NATO bases, Embassies, government agencies, and US political parties. What they don’t do is extort money out of financial corporations, and here’s hoping the group strikes at these pretenders for using their reputation the way they are.

Radware’s Smith released a statement saying that the RDDoS campaign’s ransom letter was almost identical to one sent back in 2017 by another RDDoS group, posing as Fancy Bear as well. The connection there is undeniable, with this group either being the same or heavily inspired about it.

The year of 2017 as a whole was a very DDoS-heavy year. Dozens of groups tried the same tactic, threatening companies with attacks unless they cough up. While many tried to hide behind the shadow of heavyweight hacker groups, others tried to make a name for themselves then and there.

Groups like Lulzsec, Anonymous , New World Hackers, Armada Collective, Lizard Squad , and Fancy Bear were all subject to lesser groups trying to use their name. Other groups took the more respectable approach: Trying to create a name for themselves instead of stealing others’ thunder. Groups like RedDoor, Kadyrovtsy, Borya Collective, ezBTC, XMR Squad, Stealth Ravens, Meridian Collective, ZZboot, Collective Amadeus, and Xball Team all came from that time.

For almost an entire year, it was an all-out free-for-all. Luckily, the attacks started to subside as victims began to realize that most of the extortionists were just trying their luck, having no real bite to their bark.