Akamai Diversity

Akamai Security Intelligence
& Threat Research

Fake Cozy Bear Group Making DDoS Extortion Demands

A group calling themselves "Cozy Bear" has been emailing various companies with an extortion letter, demanding payment and threatening targeted DDoS attacks if their demands are not met.

Cozy Bear, also known as APT29, is known for its customized malware and attacks on commercial entities and government organizations across the globe. What they're not known for though, are extortion campaigns. As such, Akamai believes the letter is from a copycat group leveraging the Cozy Bear name as a means to invoke fear and panic. Their extortion letter actually suggests victims perform a Google search on their name, which immediately returns results related to the infamous group. 

So far, multiple companies have reported receiving an email demanding a sum of about $17,500 in Bitcoin, or 2 BTC, at the time this advisory was written. If the payments are not made before the deadline expires (usually 6 days), the price increases by 1 BTC each day the demand isn't met, and the targeted DDoS attack will start.

To prove their claims, the attackers launch what they call a "small attack" that will last about 30 minutes. Shortly after a customer received one of these extortion emails, Akamai observed a 30Gbps attack (at peak) originating from a globally distributed botnet, where each IP sent a fraction of the overall traffic. The attackers were abusing DNS, Apple Remote Management Service (ARMS), CLDAP, TFTP, PortMap, and WS-Discovery (WSD), across the UDP protocol.

Recently, Akamai researchers Jonathan Respeto and Chad Seaman published research related to WSD, a new DDoS vector that was being observed in the wild. The inclusion of WSD in the extortion-related DDoS adds additional supporting evidence to the observation that criminals have no problem using poorly implemented IoT services as an attack vector.

This isn't the first time that DDoS extortion demands have circulated across the Internet. In 2015, Akamai published research concerning a group calling itself DD4BC (DDoS 4 Bitcoin), which was responsible for a number of DDoS attacks against Akamai customers. The situation got to the point where the FBI issued a public advisory of their own, warning businesses about these threats.

Conclusion

If you've received one of these extortion letters, there is no guarantee that paying the ransom will stop the attack. In fact, it is more likely that doing so will encourage the attackers to seek you out again, since you've paid once before.

If you're an Akamai customer, and you've received one of these demand letters, you should notify your Akamai account team and review your site's security posture, as well as Akamai Kona and Siteshield configurations, to ensure you're protected. If you're not an Akamai customer you may want to notify your upstream internet provider of the threat, as your ISP may be able to prepare for any attack traffic that is sent.

Below, Akamai has presented one of the extortion letters, unedited aside from two modifications in order to remove the victim's name.

At the time this advisory was written, the Bitcoin wallet had received no transactions. It is believed that the attackers responsible for these extortion letters are using unique wallets for each targeted victim.

"We are the Cozy Bear and we have chosen [REDACTED] as target for our next DDoS attack. Please perform a google search for "Cozy Bear" to have a look at some of our previous work.

Your network will be subject to a DDoS attack starting at Wednesday next week (in 6 days). (This is not a hoax, and to prove it right now we will start a small attack on [REDACTED] that will last for 30 minutes. It will not be heavy attack, and will not cause you any damage so don't worry, at this moment.)

This means that your website and other connected services will be unavailable for everyone.

We will refrain from attacking your servers for a small fee. The current fee is 2 Bitcoin (BTC). The fee will increase by 1 Bitcoin for each day after deadline that passed without payment.

Please send Bitcoin to the following Bitcoin address:

 [REDACTED]

Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment before the deadline or the attack WILL start!

If you decide not to pay, we will start the attack on the indicated date and uphold it until you do, there's no counter measure to this, you will only end up wasting more money trying to find a solution (Cloudflare, Sucuri, Imperva and similar services are useless, because we will hit your network directly). We will completely destroy your reputation and make sure your services will remain offline until you pay.

Do not reply to this email, don't try to reason or negotiate, we will not read any replies. Once you have paid we won't start the attack and you will never hear from us again.

Please note that Bitcoin is anonymous and no one will find out that you have complied."

Leave a comment