Skip to content

Fancy Bear Imposters Are on a Hacking Extortion Spree

Ransomware attacks that tear through corporate networks can bring massive organizations to their knees. But even as these hacks reach new popularity highs—and new ethical lows—among attackers, it’s not the only technique criminals are using to shake down corporate victims. A new wave of attacks relies instead on digital extortion—with a side of impersonation.

On Wednesday, the web security firm Radware published extortion notes that had been sent to a variety of companies around the world. In each of them, the senders purport to be from the North Korean government hackers Lazarus Group, or APT38, and Russian state-backed hackers Fancy Bear, or APT28. The communications threaten that if the target doesn’t send a set number of bitcoin—typically equivalent to tens or even hundreds of thousands of dollars—the group will launch powerful distributed denial of service attacks against the victim, walloping the organization with a fire hose of junk traffic strategically directed to knock it offline.

This type of digital extortion—give us what we’re asking for and we won’t attack you—has resurfaced repeatedly throughout the last decade. But in recent months, criminals have attempted to capitalize on fear about high-profile nation state attacks, combined with anxieties related to rising ransomware attacks, to try to make some extra money.

“Like a good salesperson, they follow up on the first message to convince the victim to pay before actually going to the trouble of executing an attack,” says Pascal Geenens, director of threat intelligence at Radware. “Of course, these criminals would prefer the easy money and not having to go through the process of running an attack. However, if the threat actors want to keep their campaign credible, not attacking is not an option.”

Though the attacks don’t seem to target certain regions in particular, Radware did find that hackers tended to pose as Lazarus Group when attempting to extort money from financial organizations and as Fancy Bear when threatening technology and manufacturing victims.

In another recent example, researchers from the security firm Intel471 reported on Tuesday that hackers pretending to be Lazarus Group sent an extortion letter to the currency exchange company Travelex in late August. Attackers demanded 20 bitcoin (more than $200,000 at the time) and said that the ransom would increase by 10 bitcoin for every day that elapsed after the initial deadline. Travelex had previously suffered a damaging ransomware attack on New Year’s Eve and reportedly paid hackers $2.3 million to decrypt the data.

“It’s a small price for what will happen when your whole network goes down,” the extortion DDoSers wrote in their email to Travelex. “Is it worth it? You decide!”

Travelex didn’t pay the ransom this time, and instead weathered a DDoS attack the hackers launched as a sort of warning shot and then a second barrage. “Whoever’s behind this probably thought that Travelex must be a soft target based on what happened at the beginning of the year,” says Greg Otto, a researcher at Intel471. “But why would you hit a company that has probably gone through the effort to shore up their security? I understand the logic, but also I just think there are holes in that logic.” Travelex did not return a request from WIRED for comment about the August extortion attempt.

Extortion DDoS attacks have never been especially profitable for scammers, because they don’t have the visceral urgency of something like ransomware, when the target is already hobbled and may be desperate to restore access. And though this has always been a weakness of the strategy, the threats are potentially even less potent now that robust DDoS defense services have become widespread and relatively inexpensive.