(U//FOUO) US-CERT Armada Collective DDoS Amplification and Mitigation Recommendations

March 2, 2016

The Armada Collective DDos Amplification and Mitigation Recommendations

Page Count: 8 pages
Date: December 7, 2015
Restriction: TLP: AMBER, For Official Use Only
Originating Organization: U.S. Computer Emergency Readiness Team, Cyber Threat Information Sharing Branch
File Type: pdf
File Size: 176,273 bytes
File Hash (SHA-256): FB622BF94ECF2CD1864088DB4617B4824ED5D9628543A9D50D41A66B734A3D13

Download File

-The Armada Collective is a Distributed Denial of Service Extortion Group that is currently unattributed

-This group of malicious actors utilize tactics similar to those used by the group DD4BC (Ddos for Bit Coin)

-Actors email potential targets and threaten a DDoS unless a ransom is paid.

-Initially suspected to be DD4BC resuming attacks under a new name; but now appears more likely that this is a copycat group

-This group claims to have the ability to unleash a DDoS attack of more than 1 Tbps per second. (Note: the biggest Armada Collective attack mitigated to date has only peaked at 772 Mbs)

-To date, the Armada Collective is known to have targeted:
-Australian Organizations
-Other International Organizations
-Japanese, Swiss and Thai financial institutions
-ProtonMail
-Hushmail
-Runbox

Armada Collective Tactics, Techniques and Procedures (TTPs) include:
-Conduct limited DDos attacks against organizations
-Send Ransom emails following the initial attack(s)
-Threaten another, longer, DDos attack will occur if an extortion payment is not made by the victim
-Initial extortion email has different senders and subjects:
-”A little taste”
-”Ransom request: DDoS Attack”
-”Last Warning”
-Maximum observed traffic throughput reported to be approximately 50 Gbps
-Traffic predominately originated from source ports 1900/UDP and NTP
-DDoS attacks have used UDP reflection and amplification