Banks and other organizations from the Australian financial sector have been the targets of an extensive extortion campaign over the past week.
A threat group has been emailing victims with threats to carry out distributed denial of service (DDoS) attacks unless the organizations pay hefty ransom fees in the Monero (XMR) cryptocurrency.
The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has sent out a security threat advice today about this ongoing campaign.
The ACSC said that based on current evidence, the attackers have not followed through on any of their threats, and no DDoS attacks have been observed.
Global DDoS extortion campaign that started last year
The threats received by Australian organizations over the past week are part of a global ransom denial of service (RDoS) campaign that began in October 2019.
As ZDNet reported at the time, initial extortion attempts targeted banks and other companies in the financial sector. However, following our initial article, these threats diversified and hackers also targeted other industry verticals.
From ransom demands against banks in Singapore and South Africa, subsequent threats were also made against telecom companies in Turkey, internet service providers in South Africa, and online betting and online gambling portals across Southeast Asia, just to name a few.
The extortion demands continued through subsequent months, and hackers methodically expanded operations to target tens of countries from all continents across the globe.
In some cases, attackers followed through on their threats, but not against all targets, as it would have been impossible to muster the DDoS resources to attack all threatened parties. However, ZDNet can confirm that several attacks have taken place against companies targeted part of this ransom campaign.
Now posing as the Silence group
Furthermore, the group behind this campaign also regularly changed the name under which they signed extortion emails.
They initially used the name Fancy Bear, the name of the infamous hacking group associated with the Russian government, known for hacking the White House in 2014 and the DNC in 2016.
They later shifted to using Cozy Bear, the name of another well-known Russian government hacking squad, also known for its involvement in the 2016 DNC hack.
Other names they used include Anonymous, Carbanak, and Emotet. All are the names of known hacking and cyber-crime operations.
The extortionists behind this campaign are hoping that victims search these names online after they receive their emailed threats. Google returns thousands of search results for these terms, and the hackers are hoping that this would help give credence to their threat and convince victims to pay the extortion demand.
The name they’re using now is for Silence, a well-known hacker group known for stealing millions of US dollars from banks across Eastern Europe, South and Central Asia, and more recently, Sub-Saharan Africa.
Advice: Do not pay!
In a threat alert it sent last year, DDoS mitigation service Radware advised victims who received these types of DDoS extortion emails not to pay, but contact a cyber-security firm instead.
The ASCS today recommended that organizations prepare for attacks in advance, before they occur, “as this sort of incident can be very difficult to respond to once the attack begins.”
“Well prepared organisations should be able to operate effectively despite these threats and any potential DoS,” the ASCS said.