(U//FOUO) US-CERT Armada Collective DDoS Amplification and Mitigation Recommendations

The following document was obtained from the website of the Organization of American States.

The Armada Collective DDos Amplification and Mitigation Recommendations

Page Count: 8 pages
Date: December 7, 2015
Restriction: TLP: AMBER, For Official Use Only
Originating Organization: U.S. Computer Emergency Readiness Team, Cyber Threat Information Sharing Branch
File Type: pdf
File Size: 176,273 bytes
File Hash (SHA-256): FB622BF94ECF2CD1864088DB4617B4824ED5D9628543A9D50D41A66B734A3D13

Download File

-The Armada Collective is a Distributed Denial of Service Extortion Group that is currently unattributed

-This group of malicious actors utilize tactics similar to those used by the group DD4BC (Ddos for Bit Coin)

-Actors email potential targets and threaten a DDoS unless a ransom is paid.

-Initially suspected to be DD4BC resuming attacks under a new name; but now appears more likely that this is a copycat group

-This group claims to have the ability to unleash a DDoS attack of more than 1 Tbps per second. (Note: the biggest Armada Collective attack mitigated to date has only peaked at 772 Mbs)

-To date, the Armada Collective is known to have targeted:
-Australian Organizations
-Other International Organizations
-Japanese, Swiss and Thai financial institutions

Armada Collective Tactics, Techniques and Procedures (TTPs) include:
-Conduct limited DDos attacks against organizations
-Send Ransom emails following the initial attack(s)
-Threaten another, longer, DDos attack will occur if an extortion payment is not made by the victim
-Initial extortion email has different senders and subjects:
-”A little taste”
-”Ransom request: DDoS Attack”
-”Last Warning”
-Maximum observed traffic throughput reported to be approximately 50 Gbps
-Traffic predominately originated from source ports 1900/UDP and NTP
-DDoS attacks have used UDP reflection and amplification

Share this: