Is your online business safe from DDoS Attacks?
Businesses have become extremely reliant on their web presence as a core part of how they do business. As customers move toward web-based communications, businesses must provide advertising, purchasing options, and customer service on their website to meet their target market. While this dependence on the Internet for communications can help organizations scale, since the Internet is a global network and a single webpage can simultaneously serve many customers, it also makes the organization vulnerable. An attack against an organization’s web presence can have a significant impact on sales and the business’s ability to interact with their customers.
As a result, the idea of the Distributed Denial of Service (DDoS) attack is nothing new. Cheap cloud computing and poorly secured Internet of Things (IoT) devices mean that attackers can easily build botnets of computers under their control. These collections of malicious machines can easily overwhelm an organization’s web servers, making anti DDoS protection a core part of any business’s cybersecurity strategy.
However, occasionally an attacker will take a new approach to the DDoS attack. A recent attacker decided to impersonate Fancy Bear, a well-known Advanced Persistent Threat (APT). By combining the name recognition of Fancy Bear with some changes from the traditional target of a DDoS attack, the cybercriminals hoped to convince victims to pay a ransom to stop the attack.
The Fancy Bear
Advanced persistent threats are hacking groups that have the skills, resources, and manpower to pose a long-term cyber threat. While many cybercriminals may use “smash and grab” tactics, quickly grabbing whatever they can after breaching an organization’s network, an APT could be present on a network for months or years before taking any action.
This type of long view takes resources. Many APTs are funded by or at least linked to different governments. Others could be funded by organized crime or other groups with deep pockets. When an APT is identified, it is typically given a name by cybersecurity researchers. These names are often based upon the suspected country of origin. In the case of Fancy Bear, an APT linked to Russia, the group is named for the Russian bear. Other groups from the same country also have "Bear" names (Venomous Bear, Voodoo Bear, and Cozy Bear).
The Fancy Bear APT is well-known for its interference in politics and elections. The 2016 hack of the Democratic National Convention (DNC) and much of the fake news on social media during the 2018 US midterm elections is attributed to Fancy Bear. More recently, Fancy Bear has attempted to influence the French and German presidential elections in 2017 and the EU elections in May 2019. The Fancy Bear APT is a well-known and well-established hacking group. Its reputation as a powerful cyber threat actor is likely why cybercriminals chose to impersonate them in recent attacks.
Cybercriminals Impersonate Fancy Bear
The concept of impersonating a different group is not a new one in hacking circles. Many APTs and hacking groups have very defined tools, tactics, and procedures. One group may impersonate another to make their attack stealthier or, as in this case, to trade on the reputation of a powerful group. Regardless of the reason, these impersonations, if done properly, can make attribution of a cyberattack extremely difficult.
In the case of this incident, a group of cybercriminals impersonated Fancy Bear to launch a Distributed Denial of Service (DDoS) attack. A DDoS attack involves a large number of attacking machines trying to overwhelm a victim’s ability to receive and process traffic. While botnets are available for rent to perform these attacks, the cybercriminal group apparently owned their own, likely made up of hacked Internet of Things (IoT) devices).
While the focus of a standard DDoS attack is simply denying access to the victim’s systems, it can also be used as a way for the attackers to make money. In this case, the cybercriminals demanded 2 Bitcoin (worth roughly $1800) from the target to stop the attack. In many cases, this type of ransom DDoS attack would be ineffective because it would be blocked by an organization’s anti-DDoS defenses on their webpages. However, the attacker targeted back-end servers instead, which are less likely to have DDoS protection in place. As a result, the DDoS attack was more successful.
However, the attackers failed at their impersonation of the Fancy Bear APT. Like many APTs, Fancy Bear has well-defined tactics and targets, which are primarily focused on interfering with elections. Ransom DDoS attacks are not in their wheelhouse, making it obvious to investigators that this was an attempt by another group to trade off on Fancy Bear’s reputation.
Protecting Against DDoS Attacks
Distributed Denial of Service attacks have a significant impact on an organization’s ability to do business. An attacker can make it impossible for customers to reach a website and other Internet-facing resources, which can have a significant impact on sales and the existing customer base. This potential lack of revenue is what makes ransom DDoS attacks possible.
Protecting against this type of attack requires comprehensive anti-DDoS protection. While many organizations may have DDoS protection for their websites, this would be useless against this attack since it targeted back-end systems, bypassing website-focused defenses. When developing a defense against DDoS (and other) attacks, organizations need to ensure that their defenses cannot be easily bypassed by an attacker. Otherwise, as demonstrated in this attack, a clever cybercriminal can render them useless.