Richard Hummel, ASERT Threat Intelligence Lead,NETSCOUT
In August 2020, a relatively prolific Distributed Denial of Service (DDoS) Extortion campaign started launching attacks on the finance industry in an attempt to take critical systems offline in return for payment; among other high-profile targets, the New Zealand stock exchange and UK-registered cryptocurrency exchange EXMO were both forced offline, resulting in the losses totaling millions of dollars.
DDoS attacks direct high volumes of traffic to a target to overwhelm its online services and render them unusable; it is one of the most common, and sometimes very destructive, forms of cyberattack. The financial sector received a disproportionate number
of DDoS attacks in the second half of 2020 compared to the previous year. The attacks were often extortive in nature, characterized by the attacker running a demonstration DDoS attack against components of a business’s online infrastructure, following which the threat actor sends an email to the organization demanding payment via cryptocurrency.
But who are behind these attacks, and what can businesses that operate in the finance industry do to protect themselves from DDoS attacks? First, for context, as online activity increased across the globe during lockdown restrictions, threat actors took advantage with more coordinated efforts to disrupt online services’ availability and performance by intentionally flooding it with traffic through DDoS. Globally, a staggering 10,089,687 DDoS attacks took place in 2020, an increase of nearly 1.6 million attacks compared to 2019.
This DDoS extortion campaign responsible for the New Zealand attack has been assigned the alias ‘Lazarus Bear Armada’ (LBA), as the adversary responsible for the attack campaign has claimed to be affiliated with attack groups that are well known, such as ‘Lazarus Group, ‘Fancy Bear’, and ‘Armada Collective’. This is done in an attempt to make the attackers seem like a credible threat to extort targets. The threat actors behind the attacks took advantage of the increased online activity that was taking place due to the pandemic.
Since the initial attack on the New Zealand stock exchange, the group has targeted financial services, financial-adjacent entities, and a slew of other industries.
The campaign is ongoing, making it one of the most extensive and sustained DDoS extortion campaigns ever witnessed. In fact, even now in 2021 the campaign is showing no signs of slowing down, with the threat actors now retargeting previously targeted businesses by citing the victim’s inability to pay the original extortion demand as the reason behind the renewed attacks.
What makes all DDoS attacks so dangerous is that an attack stops legitimate network requests from getting through. This can disrupt vital operations, cause the business to lose money and harm the organization’s reputation. As such, it is vital for organisations that operate in the financial sector to have the necessary measures in place.
Organizations that are on the receiving end of a DDoS extortion attack are faced with a dilemma of whether or not to pay the stipulated extortion demand. Don’t pay. While the need to swiftly restore business is a strong incentive for leaders in the finance industry, paying the extortion can have numerous negative repercussions. In some circumstances, organizations can have sanctions imposed on them due to supporting a criminal operation. Moreover, there are no guarantees that the same cybercriminals won’t return again in order to launch another DDoS attack and demand additional payments, since the threat actors succeeded with their initial attack. By refusing to pay the extortion demand, these issues can be avoided.
When it comes to DDoS protection measures, the most important thing for organizations in the financial sector to do is implement a strong DDoS mitigation system whether that is on premise equipment, a managed service, or cloud mitigation. By acquiring comprehensive DDoS protection, threat actors are unable to launch their attacks due to preventative measures being in place, thus neutralizing the threat posed by DDoS attacks. For example, regarding the ongoing DDoS extortion campaign, targeted organizations that have adequate DDoS protection in place have experienced very little, or no, negative impact relating to the current DDoS extortion campaign.
Furthermore, it is vital for businesses in the finance industry to have a solid plan of action in place should they be hit by a DDoS attack. This requires organizations knowing who to contact and notify in the event that they’re on the receiving end of a DDoS attack. The list of groups who should be contacted includes security providers, key stakeholders and local regulators.
While a DDoS attack has the potential to have a devastating impact on those organisations that operate in the financial sector, providing they have adequate protection and a plan of action in place, the damage caused by DDoS attacks can be kept to a minimum. As such, businesses in the heavily targeted finance industry should have strong and effective DDoS protection plan.