05.11.2019

RDoS attacks by fake Fancy Bear hit banks in multiple locations

Anastasiya Tikhonova
Head of APT Research at Group-IB
In 2017, security researches spotted a wave of ransom denial-of-service (RDoS) campaigns. The extortionists distributed emails threatening DDoS attacks unless the ransom is paid. They used the names of different threat actors, including Fancy Bear, to inspire fear and dread. In most past cases they were nothing but empty threats.

In late October 2019, Group-IB experts have detected another massive email campaign spreading similar ransom demands sent to banks and financial organizations across the word. The attackers posing as notorious Fancy Bear threatened to launch DDoS attack if a ransom is not paid. In some cases, the attackers did carry out small DDoS attacks to demonstrate their capabilities and validate the threat. The attacks were also confirmed by other security researchers.
According to Group-IB's Threat Intelligence, the campaign by fake Fancy Bear's (aka APT28) was launched in late October, when different banks and financial organizations in Singapore, South Africa, Scandinavian countries and likely in some other locations received the extortion emails. The emails sent from sednit@ctemplar[.]com were written in English and threatened to launch a DDoS attack unless a ransom of 3 BTC is paid by a certain deadline. The attackers warned that the fee would increase by 2 BTC after each day past the deadline.
Some banks that received this email have indeed experienced a demo DDoS attack. The attack vectors included floods using the UDP and ICMP protocols. It is worth noting that the attackers used UDP-port 3283. This is a new vector for DDoS, which was first detected in June 2019. UDP-port 3283 is associated with the Apple Remote Desktop Application (ARD) and its service (ARMS). However, these emails and demo-DDoS attacks did not follow through with cyber attacks.
Not the typical modus operandi for Fancy Bear
The attackers offered the recipients to "perform a Google search for Fancy Bear to have a look at some of their previous work". The use of Fancy Bear name, a state-sponsored threat actor associated with Russia, was clearly an attempt to intimidate the victims. Fancy Bear (also known as APT28, Sednit group, Sofacy, Pawn Storm, Strontium, Tsar Team, TG-4127, Group-4127, TAG_0700, Swallowtail, Iron Twilight, Group 74) has been active since 2004 and is specialized in attacks on government and international organizations all over the world.

It's clear that the infamous Fancy Bear group has nothing to do with this RDoS (ransom denial-of-service) campaign. Their motivation is sabotage and espionage, while those behind these emails are purely motivated by money. This is nothing but a naive attempt of social engineering.
Source addresses used by the attackers for random UDP flood in the new wave of RDoS attacks
213.193.124[.]178:3283

73.222.102[.]43:3283

141.213.30[.]81:3283

93.148.227[.]167:3283

90.79.181[.]162:3283

128.9.168[.]175:3283

82.112.195[.]37:3283

80.219.165[.]93:3283

179.219.122[.]179:3702

128.255.242[.]214:3283

135.23.41[.]7:3283

141.219.40[.]200:3283

134.102.89[.]135:3283

207.61.192[.]156:3283

96.47.194[.]168:3283

50.246.36[.]5:3283

185.44.131[.]72:3283

1.224.87[.]99:3702

185.44.128[.]135::3283

122.155.210[.]111:3283

93.190.144[.]101:3283

77.245.135[.]76:3283

87.238.149[.]14:3283

137.99.120[.]107:3283

184.67.233[.]66

181.126.191[.]95

95.180.32[.]125:3702

181.51.57[.]46:3702

77.120.40[.]141:3702

188.0.152[.]204:3702

195.35.85[.]169

177.0.33[.]194

47.51.133[.]130

92.83.149[.]135:3702

31.211.144[.]80

13.94.104[.]145

78.131.204[.]106:3702

109.199.51[.]209

89.218.62[.]12:3702

54.36.172[.]201

40.76.194[.]159

146.0.80[.]173:3702

138.201.31[.]169

87.251.185[.]197:389

43.252.18[.]154

190.218.75[.]12:3702

73.215.166[.]26:3702

186.4.206[.]69:3702

160.226.137[.]18

160.226.137[.]18

98.242.135[.]12:3702

181.46.188[.]24:3702

24.139.113[.]96:3702

50.206.77[.]90

161.43.205[.]202:3702

93.170.188[.]147:3702

202.160.16[.]144:3702

220.130.80[.]212:3702

1.225.103[.]192:3740

1.225.103[.]192

186.249.86[.]98:42525

81.25.62[.]153

73.184.131[.]152:46521

73.184.131[.]152

186.249.85[.]62:58690

78.96.4[.]97:39016

1.225.103[.]192

73.184.131[.]152:37863

78.96.4[.]97:36090

1.225.103[.]192:3768

78.96.4[.]97:57604

186.249.85[.]62:36512

62.112.106[.]10:41592

62.112.106[.]10

91.211.245[.]17:389

91.211.245[.]17

73.184.131[.]152:37993

73.184.131[.]152

179.52.58[.]71:60284

179.52.58[.]71
Source addresses for ICMP flood
167.59.10[.]111

103.63.190[.]66

101.109.67[.]131
The IPs that were used by the attackers in the 2017 campaign
54.171.57[.]68

104.130.2[.]169

104.225.15[.]131

107.0.160[.]33

116.196.93[.]71

123.56.73[.]58

125.75.132[.]53

162.151.72[.]86

173.225.97[.]59

180.100.133[.]21

186.233.204[.]15

194.165.135[.]37

201.20.109[.]156

207.99.1[.]106

216.15.163[.]130

220.243.237[.]14

222.216.190[.]151

24.103.42[.]134

42.123.67[.]10

62.32.103[.]141

69.174.3[.]94

70.88.196[.]178

71.71.127[.]49

77.81.107[.]173

77.81.107[.]189

77.81.110[.]208

77.81.110[.]36

85.17.68[.]133

89.42.31[.]105

93.107.107[.]147

98.197.252[.]15