By Bill Brenner, Akamai SIRT Senior Tech Writer
In recent weeks, Akamai's Security Intelligence Research Team (SIRT) has investigated several DDoS attack campaigns targeting Akamai customers. The group responsible for these attacks calls itself "Armada Collective." Its tactics are similar to those used by the group DD4BC, where they threaten the victim with emails warning of an impending DDoS against their website unless a ransom is paid in Bitcoins.
In the emails, the group of malicious actors introduced themselves and informed the victim that their servers would be DDoSed unless they paid a specified ransom of Bitcoins.
Armada Collective claims it has the power to unleash a DDoS attack of more than 1 Tbps per second. To date, however, the biggest Armada Collective attack mitigated by akamai has only peaked at 772 Mbps. Akamai SIRT is in the early stages of tracking this group.
The Akamai SIRT initially suspected this was DD4BC resuming attacks under a new name. At this stage of the investigation, we're more inclined to believe Armada Collective is a copycat group.
In the big picture, current attack activity doesn't strike us as monumental. But like DD4BC, we see Armada Collective as a credible source of attacks going forward. Organizations should take the threat seriously.
The nature of Armada Collective's operation and the successes it has obtained has lead Akamai SIRT to expect this and other groups to continue to increase its range of targets to other verticals. Companies susceptible to financial loss from downtime are at greatest risk.
Historically, targets of ransom demands are selected based on their anticipated reluctance to involve law enforcement, leaving them to either pay the ransom or pay for DDoS protection. Some victims offer bounties to encourage others to reveal perpetrators' identities, but this may be unsuccessful in bringing justice to the malicious actors.
When DD4BC became a problem, we warned of copycat operations. Armada Collective is probably just the first example of that. Akamai SIRT has distributed an internal advisory to all of Akamai's managed security customers.
Customers: What you can do
The Akamai Security Operations Center is open 24/7, and our vast cloud-based mitigation platform is ready to respond. However, there are some proactive steps you can take:
- Review your playbook with IT and security staff to ensure you are prepared and know what to do in the event of an attack.
- Ensure all critical staff are available - if staff are on vacation or absent due to sickness, make sure their responsibilities are covered by others.
- Stay in close contact with the Akamai SOC.
- Check the Akamai Community Security page for updates: https://community.akamai.com/community/security-research-and-intelligence