ENGLISH
05.11.2019
RDoS attacks by fake Fancy Bear hit banks in multiple locations
Anastasiya Tikhonova
Head of APT Research at Group-IB
In 2017, security researches spotted a wave of ransom denial-of-service (RDoS) campaigns. The extortionists distributed emails threatening DDoS attacks unless the ransom is paid. They used the names of different threat actors, including Fancy Bear, to inspire fear and dread. In most past cases they were nothing but empty threats.
In late October 2019, Group-IB experts have detected another massive email campaign spreading similar ransom demands sent to banks and financial organizations across the word. The attackers posing as notorious Fancy Bear threatened to launch DDoS attack if a ransom is not paid. In some cases, the attackers did carry out small DDoS attacks to demonstrate their capabilities and validate the threat. The attacks were also confirmed by other security researchers.
In late October 2019, Group-IB experts have detected another massive email campaign spreading similar ransom demands sent to banks and financial organizations across the word. The attackers posing as notorious Fancy Bear threatened to launch DDoS attack if a ransom is not paid. In some cases, the attackers did carry out small DDoS attacks to demonstrate their capabilities and validate the threat. The attacks were also confirmed by other security researchers.
According to Group-IB's Threat Intelligence, the campaign by fake Fancy Bear's (aka APT28) was launched in late October, when different banks and financial organizations in Singapore, South Africa, Scandinavian countries and likely in some other locations received the extortion emails. The emails sent from sednit@ctemplar[.]com were written in English and threatened to launch a DDoS attack unless a ransom of 3 BTC is paid by a certain deadline. The attackers warned that the fee would increase by 2 BTC after each day past the deadline.
Some banks that received this email have indeed experienced a demo DDoS attack. The attack vectors included floods using the UDP and ICMP protocols. It is worth noting that the attackers used UDP-port 3283. This is a new vector for DDoS, which was first detected in June 2019. UDP-port 3283 is associated with the Apple Remote Desktop Application (ARD) and its service (ARMS). However, these emails and demo-DDoS attacks did not follow through with cyber attacks.
Not the typical modus operandi for Fancy Bear
The attackers offered the recipients to "perform a Google search for Fancy Bear to have a look at some of their previous work". The use of Fancy Bear name, a state-sponsored threat actor associated with Russia, was clearly an attempt to intimidate the victims. Fancy Bear (also known as APT28, Sednit group, Sofacy, Pawn Storm, Strontium, Tsar Team, TG-4127, Group-4127, TAG_0700, Swallowtail, Iron Twilight, Group 74) has been active since 2004 and is specialized in attacks on government and international organizations all over the world.
It's clear that the infamous Fancy Bear group has nothing to do with this RDoS (ransom denial-of-service) campaign. Their motivation is sabotage and espionage, while those behind these emails are purely motivated by money. This is nothing but a naive attempt of social engineering.
It's clear that the infamous Fancy Bear group has nothing to do with this RDoS (ransom denial-of-service) campaign. Their motivation is sabotage and espionage, while those behind these emails are purely motivated by money. This is nothing but a naive attempt of social engineering.
213.193.124[.]178:3283
73.222.102[.]43:3283
141.213.30[.]81:3283
93.148.227[.]167:3283
90.79.181[.]162:3283
128.9.168[.]175:3283
82.112.195[.]37:3283
80.219.165[.]93:3283
179.219.122[.]179:3702
128.255.242[.]214:3283
135.23.41[.]7:3283
141.219.40[.]200:3283
134.102.89[.]135:3283
207.61.192[.]156:3283
96.47.194[.]168:3283
50.246.36[.]5:3283
185.44.131[.]72:3283
1.224.87[.]99:3702
185.44.128[.]135::3283
122.155.210[.]111:3283
93.190.144[.]101:3283
77.245.135[.]76:3283
87.238.149[.]14:3283
137.99.120[.]107:3283
184.67.233[.]66
181.126.191[.]95
95.180.32[.]125:3702
181.51.57[.]46:3702
77.120.40[.]141:3702
188.0.152[.]204:3702
195.35.85[.]169
177.0.33[.]194
47.51.133[.]130
92.83.149[.]135:3702
31.211.144[.]80
13.94.104[.]145
78.131.204[.]106:3702
109.199.51[.]209
89.218.62[.]12:3702
54.36.172[.]201
40.76.194[.]159
146.0.80[.]173:3702
138.201.31[.]169
87.251.185[.]197:389
43.252.18[.]154
190.218.75[.]12:3702
73.215.166[.]26:3702
186.4.206[.]69:3702
160.226.137[.]18
160.226.137[.]18
98.242.135[.]12:3702
181.46.188[.]24:3702
24.139.113[.]96:3702
50.206.77[.]90
161.43.205[.]202:3702
93.170.188[.]147:3702
202.160.16[.]144:3702
220.130.80[.]212:3702
1.225.103[.]192:3740
1.225.103[.]192
186.249.86[.]98:42525
81.25.62[.]153
73.184.131[.]152:46521
73.184.131[.]152
186.249.85[.]62:58690
78.96.4[.]97:39016
1.225.103[.]192
73.184.131[.]152:37863
78.96.4[.]97:36090
1.225.103[.]192:3768
78.96.4[.]97:57604
186.249.85[.]62:36512
62.112.106[.]10:41592
62.112.106[.]10
91.211.245[.]17:389
91.211.245[.]17
73.184.131[.]152:37993
73.184.131[.]152
179.52.58[.]71:60284
179.52.58[.]71
73.222.102[.]43:3283
141.213.30[.]81:3283
93.148.227[.]167:3283
90.79.181[.]162:3283
128.9.168[.]175:3283
82.112.195[.]37:3283
80.219.165[.]93:3283
179.219.122[.]179:3702
128.255.242[.]214:3283
135.23.41[.]7:3283
141.219.40[.]200:3283
134.102.89[.]135:3283
207.61.192[.]156:3283
96.47.194[.]168:3283
50.246.36[.]5:3283
185.44.131[.]72:3283
1.224.87[.]99:3702
185.44.128[.]135::3283
122.155.210[.]111:3283
93.190.144[.]101:3283
77.245.135[.]76:3283
87.238.149[.]14:3283
137.99.120[.]107:3283
184.67.233[.]66
181.126.191[.]95
95.180.32[.]125:3702
181.51.57[.]46:3702
77.120.40[.]141:3702
188.0.152[.]204:3702
195.35.85[.]169
177.0.33[.]194
47.51.133[.]130
92.83.149[.]135:3702
31.211.144[.]80
13.94.104[.]145
78.131.204[.]106:3702
109.199.51[.]209
89.218.62[.]12:3702
54.36.172[.]201
40.76.194[.]159
146.0.80[.]173:3702
138.201.31[.]169
87.251.185[.]197:389
43.252.18[.]154
190.218.75[.]12:3702
73.215.166[.]26:3702
186.4.206[.]69:3702
160.226.137[.]18
160.226.137[.]18
98.242.135[.]12:3702
181.46.188[.]24:3702
24.139.113[.]96:3702
50.206.77[.]90
161.43.205[.]202:3702
93.170.188[.]147:3702
202.160.16[.]144:3702
220.130.80[.]212:3702
1.225.103[.]192:3740
1.225.103[.]192
186.249.86[.]98:42525
81.25.62[.]153
73.184.131[.]152:46521
73.184.131[.]152
186.249.85[.]62:58690
78.96.4[.]97:39016
1.225.103[.]192
73.184.131[.]152:37863
78.96.4[.]97:36090
1.225.103[.]192:3768
78.96.4[.]97:57604
186.249.85[.]62:36512
62.112.106[.]10:41592
62.112.106[.]10
91.211.245[.]17:389
91.211.245[.]17
73.184.131[.]152:37993
73.184.131[.]152
179.52.58[.]71:60284
179.52.58[.]71
167.59.10[.]111
103.63.190[.]66
101.109.67[.]131
103.63.190[.]66
101.109.67[.]131
54.171.57[.]68
104.130.2[.]169
104.225.15[.]131
107.0.160[.]33
116.196.93[.]71
123.56.73[.]58
125.75.132[.]53
162.151.72[.]86
173.225.97[.]59
180.100.133[.]21
186.233.204[.]15
194.165.135[.]37
201.20.109[.]156
207.99.1[.]106
216.15.163[.]130
220.243.237[.]14
222.216.190[.]151
24.103.42[.]134
42.123.67[.]10
62.32.103[.]141
69.174.3[.]94
70.88.196[.]178
71.71.127[.]49
77.81.107[.]173
77.81.107[.]189
77.81.110[.]208
77.81.110[.]36
85.17.68[.]133
89.42.31[.]105
93.107.107[.]147
98.197.252[.]15
104.130.2[.]169
104.225.15[.]131
107.0.160[.]33
116.196.93[.]71
123.56.73[.]58
125.75.132[.]53
162.151.72[.]86
173.225.97[.]59
180.100.133[.]21
186.233.204[.]15
194.165.135[.]37
201.20.109[.]156
207.99.1[.]106
216.15.163[.]130
220.243.237[.]14
222.216.190[.]151
24.103.42[.]134
42.123.67[.]10
62.32.103[.]141
69.174.3[.]94
70.88.196[.]178
71.71.127[.]49
77.81.107[.]173
77.81.107[.]189
77.81.110[.]208
77.81.110[.]36
85.17.68[.]133
89.42.31[.]105
93.107.107[.]147
98.197.252[.]15
Share
Prevention
Response
Investigation
Products
Company
