‘You don’t want to be like them, do you?’: The ominous message that precedes a DDoS attack

Just when I thought 2020 couldn’t be any stranger, we now have armies of infected “zombie computers” attacking institutions, including the New Zealand Stock Exchange and the National Weather Bureau.

NZX, MetService, Mt Ruapehu skifield, and Westpac have all been affected by recent distributed denial of service (DDoS) attacks. Stuff and RNZ have also come under fire, but they managed to defend themselves and TSB reported an incident to authorities after their services spontaneously collapsed on Tuesday.

While it is unclear if the attacks were committed by the same group, the GCSB’s National Cyber ​​Security Center (NCSC) sent out a notice in late August saying it was aware of an ongoing campaign of “malicious cyber activity.” which affects New Zealand entities.

The cybercriminals, or actors, behind the attacks first send their targets an email warning of an imminent DDoS attack unless the ransoms are paid in cryptocurrency, bitcoin.

READ MORE:
* BNZ’s mobile banking service drops on Wednesday due to an ‘internal systems problem’
* MetService anticipates future DDoS cyber attacks in the coming days

If ransom demands are not met, a DDoS attack is launched that causes a company’s site to repeatedly crash due to being inundated with overwhelming volumes of online traffic.

The wave of attacks is being investigated by the government’s cybercrime unit, the GCSB, and Five Eyes partners. The Government’s National Security System has also been activated.

The actors running the campaign are believed to be those who previously claimed to be Russian cyber espionage group Fancy Bear and Armada Collective.

Ransom demands have been sent from email addresses ending in @ startmail.com, the NCSC said.

Yaniv Hoffman, vice president of technologies at Nasdaq-listed cybersecurity firm Radware, said that since mid-August he had been tracking a global campaign of extortion requests from actors posing as Fancy Bear, Armada Collective and Lazarus Group.

The ransom fee was initially set at 10 bitcoins, which was equal to US $ 113,000 (NZ $ 167,000), at the time of the extortion. Some fees were set up to 20 bitcoins, Hoffman said.

The letter said that if the payment was not made before a set deadline, the attack would continue and the fee would increase by 10 bitcoins for each missed deadline, Hoffman said.

Each letter contained a bitcoin ‘wallet’ address for payment.

The groups followed up on their initial lawsuit noting that their bitcoin wallets were still empty and reiterated the severity of the threat, he said.

Hoffman said they also provided examples of recent DDoS outages, followed by the rhetorical question “You don’t want to be like them, do you?”

The actors said they preferred the payment to an attack and allowed the target to reconsider the payment, often extending the deadline by one day, he said.

The NCSC does not have a position on the payment of ransom demands, but cautions organizations that there is no guarantee that paying a ransom will stop an attack.

Lech Janczewski, Associate Professor in the Department of Information Systems and Operations Management at the University of Auckland, said there were thousands of different types of DDoS attacks and they could be one of the most powerful weapons on the internet.

Once an actor had decided what type of DDoS attack they wanted to carry out, they had to buy an application from the dark web to launch the attack or, alternatively, develop it themselves.

The dark web is a part of the Internet synonymous with online crime that requires specific software or authorization to access.

Janczewski said that once purchased, the application automatically found and potentially infected hundreds of thousands of unprotected personal computers with attack software, to form a network of “zombie computers” called a “botnet.”

“It could be anyone’s computer. Your machine may be infected but you won’t notice it. “

The more computers that have been infected with the attacking software, the more effective the DDoS attack will be, he said.

“At a certain time or signal, all the zombies start sending messages to the attack site, causing it to fall.

“The idea is that the attacking software forces computers to do something that is beyond the capabilities of that machine.”

He said developers of DDoS attackers were looking for high-profile targets with deep pockets. Individuals and small businesses were unlikely targets, he said.

Jonathan Sharrock, CEO of New Zealand’s online security testing firm Cyber ​​Citadel, said the tools needed for an attack can be purchased from the dark web for $ 10 to $ 60.

But accessing the dark web was not a simple exercise and generally required having connections with those who already had access, he said.

Furthermore, the language used on the dark web was very specific and newcomers were easily discovered, he said.

“You or I would be detected immediately.

“You need to know the lingo.”

Sharrock said there was little a victim could do with a DDoS attack to repel the offense.

They needed to be protected by their telecommunications provider, as high up the connectivity network as possible, he said.

Telecommunications companies were the first line of defense when an attack was launched and their systems should “eliminate” the flow of high-volume traffic, separating offensive DDoS traffic from legitimate data, he said.

“The telecom provider should stop the tsunami of malicious traffic at the border.”

Recent attacks could suggest that the service agreements between a company and its telecom provider do not provide sufficient bandwidth protection for a volume-based attack, he said.

“If that’s the case, New Zealand telcos will have to rapidly increase their bandwidth capacity on behalf of their customers to sustain what are now the largest online volumetric attacks that we have tracked.”