Over the past week the DDoS attacks on the NZX and other New Zealand
businesses have been the focus of our news stories. Many media organizations
have sought the opinions of “experts”, often from universities, who have provided
lots of speculation but very little information. As cybersecurity specialists
Darkscope is providing information that might help the media and the New
Zealand public better understand this situation.
DDoS (Distributed Denial of Service) attacks fell in volume year on year from 2016
to 2018 by jumped 84% in Q1 2019[1]. The new attacks lasted longer - typically more
than an hour - as they are more complex and include new attack vectors (see
below) which defeat the existing defensive systems typically deployed to reroute
and stop them. These attacks come with a ransom demand before being
deployed, hence RDoS (Ransom Denial of Service) attacks.
In 2019 the attacks targeted financial service organizations, payment,
entertainment and retail sectors around the world, including South America,
Africa, Northern Europe and parts of Asia. They are credited to the Russian cyber
espionage group “Fancy Bear”[2] who demanded a bitcoin ransom prior to the
attack being launched. This is their message:
“We are the Fancy Bear and we have chosen [Victim] as target for our next DDoS
attack. Please perform a google search for ‘Fancy Bear’ to have a look at some of
our previous work.” In the note, the attackers present a deadline after which a
major DDoS attack will occur if no payment is made. The ransom increases daily.
On sending their threat and as proof of their intentions and capabilities, the
attackers initiate a small half-hour attack ranging from 40 to 60 Gbps, on a
specifically chosen IP address belonging to the victim’s network.
One main difference with these attacks is that they are not aimed at the
organization’s homepage, but target areas in the corporate IT infrastructure which are often inadequately protected.
These include original IP addresses and internal
servers. Because of this targeting, companies can be defenceless against the
attacks even if they have implemented DDoS protection, as we have seen with
NZX.
The attackers are using at least eight vectors to launch DDoS attacks and amplify
the disruption, including two relatively new ones, Web Service Dynamic Discovery
(WSD) and Apple’s Remote Management Service (ARMS). WSD as a DDOS attack
vector has only been known about since the beginning of 2019. General
awareness of its effect was not understood until Q3 2019 when details emerged
that the attackers had employed this new attack vector into their toolkit. When implemented these two vectors can
amplify the intensity of the attack up to 35
times.
Other vectors include Simple Service Discovery Protocol (SSDP), Network Time
Protocol (NTP), Domain Name System (DNS), Lightweight Directory Access
Protocol (CLDAP), SYN and Internet Control Message Protocol (ICMP).
When all eight vectors are deployed together, the attack is very difficult to stop
even with the best defensive systems, as we have seen with the attacks on the
NZX.
It is unclear whether the attacks on the NZX, Stuff and Radio NZ sites are from
Fancy Bear. In fact, it is unlikely as these attacks do not match Fancy Bear’s
typical behaviour. To date, the attacked organisations and the GCSB are silent on whether ransoms have been demanded or
paid.
Darkscope’s experience through daily monitoring millions of internet sites and
dark web activity is that these types of attack are often geographically clustered.
We see similar attacks occurring and recurring in one country before moving to
the next. What is clear is that this new form of attack is being targeted at New
Zealand organisations and we should expect this to continue for some time to
come.
[1] Kaspersky Labs report: “DDoS Attacks in Q1 2019” https://securelist.com/ddos-report-q1-2019/90792/
[2] Fancy Bear is also known as APT28 by Mandiant; Pawn Storm, Sofacy Group by Kaspersky; Sednit, Tsar Team by FireEye; and
STRONTIUM (by Microsoft is a Russian cyber espionage group.