DDoS Extortion Takes VoIP Providers Offline

Attacks focused on service providers cost millions in 2H 2021.

Orange to pink gradient with abstract orange splotches

Threat actors are continually innovating and rethinking their attack patterns—as well as who they target with attacks. This is clearly seen in their attacks against Voice over Internet Protocol (VoIP) providers, as highlighted in NETSCOUT’s 2H 2021 Threat Report. Why target VoIP providers? The short answer is financial gain. Attackers know bringing down VoIP providers that service a large number of customers causes a lot of pain and therefore is ripe for extortion.

Cyberattackers launched three worldwide distributed denial-of-service (DDoS) extortion attack campaigns in 2021—a startling new achievement carried out by a REvil copycat, Lazarus Bear Armada (LBA), and Fancy Lazarus. But threat actors did more than simply increase such global attacks.

They also focused attention on targets they’ve seemingly ignored in the past, as evidenced by attacks against VoIP providers. In one case, a DDoS extortion attack carried out by the REvil copycat ultimately resulted in an estimated revenue loss of several million dollars for the VoIP provider.

Initially, retail and wholesale VoIP providers based in the U.K. were the targets of the campaign. This was followed by attacks launched against VoIP operators in Western Europe and North America. The massive impact of the attack was revealed when a single VoIP wholesaler filed a form with the U.S. Securities and Exchange Commission (SEC) estimating the total cost of the DDoS attack at between $9 and $12 million.

But attackers didn’t stop there. Several VoIP providers from around the globe were taken offline as a result of DDoS extortion campaigns. To gain more insight into these attacks, it’s helpful to know that VoIP providers and their infrastructure fall under two primary verticals as defined by North American Industry Classification System codes: all other telecommunications, and data processing hosting and related services (cloud computing).

VoIP providers that fall under the “all other telecommunications” code experienced a 93 percent increase in attacks from 1H 2021. Meanwhile, there was a marked increase in attacks against VoIP providers that fall under the “data processing hosting and related services” code—especially those located in EMEA. Indeed, VoIP providers in the “data processing hosting and related services” category were the top target in EMEA for 2H 2021.

In several cases, including those listed below, VoIP providers publicly acknowledged the attacks.

  • The CEO of bandwidth.com issued a statement in September 2021 in which he acknowledged that the company had been targeted with rolling DDoS attacks. “While we have mitigated much intended harm," he wrote, “we know some of you have been significantly impacted by this event."
  • Bleeping Computer reported in September 2021 that VoIP provider VoIP.ms had been hit by a DDoS attack that targeted its DNS name servers. The attack disrupted telephony services, including loss of service, dropped calls, poor performance, and the inability to forward lines. A threat actor claiming to be REvil claimed responsibility and reportedly said the attack could be stopped for one bitcoin, or the equivalent of $45,000.
  • ZDNet reported that U.K.-based Voip Unlimited also was hit with a DDoS attack in September by a group claiming to be REvil. Voip Unlimited’s CEO said the company had been hit with an alarmingly large and sophisticated DDoS attack attached to a “colossal ransom demand,” resulting in the intermittent or total loss of services.

Access the full interactive 2H 2021 Threat Report to learn more about how attackers are changing strategies to bring down VoIP providers.