• Arbor Networks - DDoS Experts
  • DDoS

Lazarus Bear Armada DDoS Extortion Campaign — December 2020

ASERT Threat Summary

by Roland Dobbins, Steinthor Bjarnason on

This blog is an update to the one we originally published on September 3, 2020 here 

Video link - https://www.youtube.com/watch?v=GSj3wrAT5uY


ASERT Threat Summary 

Severity: Warning 

Distribution: TLP: WHITE 

Recipients may share TLP: WHITE information without restriction, subject only to standard copyright rules. 

Contributors: Alexander Cockburn, Carl Neenan, Gareth Tomlinson, Mary Hartzell, Shawn Razavi, Nathan Lux, Jon Belanger 

Changes from previous version:  

  • Discussed new attacker behavior of launching second round of attacks against previously targeted organizations that did not respond to initial extortion demands. 

  • Added memcached reflection/amplification to list of observed attack vectors 

  • Updated details of extortion demands to include the use of public-facing website contact form



Starting in mid-August 2020, a relatively prolific threat actor initiated a global campaign of DDoS extortion attacks largely directed towards regional financial and travel-industry targets such as regional banks, stock exchanges, travel agencies, currency exchanges, and, in some cases, their upstream internet transit providers. Broadband access ISPs, healthcare providers, insurance providers, personal care product manufacturers, regional energy providers, and IT-related vendors have also been targeted. These attacks are characterized by the attacker initiating a demonstration DDoS attack against selected elements of the targeted organization’s online services/application delivery infrastructure, followed by an emailed extortion demand for payment via Bitcoin cryptocurrency. The extortion demands typically state that the attacker has up to 2 Tbps of DDoS attack capacity at the ready, and threatens follow-up attacks if the extortion payments aren’t transmitted to the attacker within a set period of time.

In many cases, when the extortion demands aren’t met, the threatened follow-up attacks do not occur and the attacker moves on to another target.  In some cases the attacker has elected to persist in attacking the targeted organization, including its upstream transit provider(s). 

 ASERT is now seeing the attackers return to earlier targets. These organizations have previously refused to pay the extortion demands—and have successfully mitigated the initial waves of DDoS attack against their online properties. Now, the threat actors are launching follow-on attacks, weeks or months after the initial attack. In these cases, the attacker sends a new extortion demand which cites the previous demand, notes the target-specific Bitcoin wallet included in the previous demand, and also lists a new target-specific Bitcoin wallet. The attacker typically launches a new DDoS attack concurrently with the transmission of the latest extortion demand. In some cases, the renewed extortion demand is transmitted via public-facing contact forms located on the targeted organization’s website rather than via email.

The threat actor responsible for this attack campaign typically claims to be affiliated with well-known, labeled attack groups discussed in industry media; this is done in hopes of bolstering their credibility with the extortion targets. Examples of asserted affiliation include ‘Fancy Bear’, ‘Lazarus Group’, and ‘Armada Collective’ (the latter being the only one of the claimed identities known to be affiliated with DDoS attack campaigns). Many would-be extortionists simply send out emailed extortion demands under the names of these various groups; the threat actor behind this campaign does in fact actually launch DDoS attacks against the targeted organizations, although threatened follow-up attacks often fail to materialize. Given the propensity of the threat actor for impersonating these threat groups, we have assigned the moniker ‘Lazarus Bear Armada’, or ‘LBA’, to this threat actor.

Attack Vectors and Volume

The primary attack vectors observed in this campaign include: 

  • DNS 
  • ntp 
  • ARMS 
  • WS-DD 
  • SSDP 
  • memcached 
  • CLDAP reflection/amplification 
  • UDP/4500 and UDP/500 flooding
  • HTTP/S request-flooding
  • spoofed SYN-flooding
  • GRE & ESP packet-flooding
  • TCP ACK-floods
  • TCP reflection/amplification attacks.  

The attacker has also utilized layer-7 http/s request-floods against web properties. In some cases, the attacker has generated packet floods of generic UDP/4500 and UDP/500 traffic in an attempt to masquerade attack traffic as VPN-related traffic. The attacker has also made use of other, infrequently used IPv4 protocols to launch packet-flooding attacks, all in hopes of bypassing inadequately scoped network access policies implemented via router access-control lists and/or firewall rules.

Attack volumes observed over the course of this attack campaign have ranged from 50 Gbps – 300 Gbps, and 150 Kpps – 150 Mpps. While the attacker has claimed to have up to 2 Tbps of DDoS attack capacity, no attacks approaching this magnitude have yet occurred. 

LBA Campaign Planning and Reconnaissance

Both the selection of targeted assets as well as the recipients chosen to receive the attacker’s extortion demands are indicative of pre-attack reconnaissance on the part of the threat actor. In multiple instances, critical, yet non-obvious public-facing applications and services were targeted by the attacker. The attacker has also deliberately attacked VPN concentrators, presumably identified via DNS analytics, in order to attempt disruption of the targeted organizations’ mission-critical remote-access capability.

During extended attacks that include targeting of an organization’s upstream transit ISP(s), the attacker has apparently made use of basic network diagnostic techniques, such as running multiple traceroutes, in an attempt to identify routers and/or layer-3 switches within the transit ISP network. These network infrastructure devices are subsequently targeted by the attacker.

While in many cases emailed DDoS extortion demands are never viewed by their intended targets due to poor email address selection on the part of the attacker, it appears that the LBA campaign threat actors have exercised significant due diligence in identifying email mailboxes that are likely to be actively monitored by targeted organizations.

Collateral Impact  

In line with observed norms, the observed collateral impact of these DDoS attacks can be disproportionately high. In some cases, attacks against the upstream transit ISPs supplying internet connectivity to targeted organizations has resulted in significant disruption of bystander traffic traversing the networks of those transit operators.

Mitigating Factors 

As is the case with most DDoS attacks, targeted organizations that have adequately prepared to defend their public-facing internet properties and related infrastructure have experienced little or no significant negative impact related this DDoS extortion campaign.

While the threat actor in question has demonstrated a degree of acuity and willingness to engage in diligent pre-attack reconnaissance, the DDoS attack vectors and targeting techniques employed in this attack campaign to date are well-known, and can be mitigated via standard DDoS countermeasures/protections.

Due to the relatively high visibility of this attack campaign—largely resulting from the deliberate selection of targets within and adjacent to the heavily regulated financial sector  rather than any attack uniqueness or differentiation from the common run of DDoS extortion attempts—it is assumed that international law enforcement and intelligence community resources are likely to be brought to bear in aid of efforts to identify and apprehend those responsible.

Recommended Actions 

Organizations with business-critical public-facing internet properties should ensure that all relevant network infrastructure, architectural, and operational Best Current Practices (BCPs) have been implemented, including situationally specific network access policies that only permit internet traffic via required IP protocols and ports. Internet access network traffic from internal organizational personnel should be deconflated from internet traffic to/from public-facing internet properties and served via separate upstream internet transit links.  Critical supporting ancillary services such as authoritative DNS should also be designed, deployed, and operated in a manner consistent with all relevant BCPs. DNS resource records for VPN concentrators that contain the string ‘vpn’ should be renamed in order to obfuscate their functionality, and existing VPN concentrators that had ‘vpn’ as part of the relevant resource records should be re-IPed.

DDoS defenses for all public-facing internet properties and supporting infrastructure should be implemented in a situationally appropriate manner, including periodic testing to ensure that any changes to organization’s servers/services/applications are incorporated into its DDoS defense plan. Both organic, on-site intelligent DDoS mitigation capabilities should be combined with cloud- or transit-based upstream DDoS mitigation services in order to ensure maximal responsiveness and flexibility during an attack.

It is imperative that organizations operating mission-critical public-facing internet properties and/or infrastructure ensure that all servers/services/application/datastores/infrastructure elements are protected against DDoS attack and are included in periodic, realistic tests of the organization’s DDoS mitigation plan. In many instances, we have encountered situations in which obvious elements such as public-facing web servers were adequately protected, but authoritative DNS servers, application servers, and other critical service delivery elements were neglected, thus leaving them vulnerable to attack.

Specifics of countermeasure selection, tuning, and deployment will vary based upon the particulars of individual networks/resources; the relevant NETSCOUT Arbor account teams and/or ATAC may be consulted with regards to optimal countermeasure selection and employment.

Organizations should familiarize themselves with the particulars of previous high-profile DDoS extortion campaigns, with a special emphasis on the ‘DD4BC’ series of attacks launched between 2014–2016. There are a multiple points of correspondence between the modus operandi of the DD4BC threat actor and that of the threat actor responsible for this DDoS extortion campaign.


Applicable NETSCOUT Arbor Solutions:  Arbor Sightline, Arbor TMS, Arbor AED, Arbor Cloud

Historical DDoS extortion presentation (.pdf)

Mutually Agreed Norms for Routing Security (web)

Availability in the Time of COVID-19 (A VPN Protection Resource)


ASERT Threat Summary: Lazarus Bear Armada (LBA) DDoS Extortion Attack Campaign — December 2020 — v1.4.

Posted In
  • Arbor Networks - DDoS Experts
  • Attacks and DDoS Attacks
Related Posts