Voipfone DDoS Attacks Raise Specter of Protection RacketSevere 'Extortion-Based' Attack From Foreign Entities, Firm Tweets
Telecom company Voipfone has come under a severe "extortion-based" distributed denial-of-service attack from foreign entities, according to a tweet by the U.K.-based company.
We apologize for the disruption to our services, we are defending an extortion-based DDoS attack from overseas criminals.— Voipfone (@Voipfone) October 25, 2021
We continue taking measures to overcome these attacks but for obvious reasons we are limited in the information we can make public.
This is the second DDoS attack on the company in the past two months (see: 2 UK Telecom Firms Under DDoS Attacks). The attacks have been described as potentially part of a protection racket from ransomware actors or other threat groups, according to ISP rating company ISPreview, which cites unnamed industry sources.
The first instance of the latest attack wave was observed on Oct. 22. The company's update on the incident, issued the same day, stated that "all systems are operational." It appears that the attackers resumed their campaign on Monday, after taking a weekend break.
In the latest update issued on Wednesday, the company says: "A level of service has been restored, but there may still be a risk of further disruption. We will continue to update as the incident progresses."
New Protection Racket
Ransomware attackers leveraging DDoS attacks is not new. In fact, cybersecurity companies such as Cloudflare have a term for it - Ransom DDoS attack, or RDDoS.
In an RDDoS attack, a threat actor attempts to extort money from their victim by threatening them with a targeted DDoS attack. The threat actor may carry out a DDoS attack and then follow up with a ransom note demanding payment to stop the attack, or they may send the ransom note threatening a DDoS attack first, the company says.
Cloudflare adds: "In some cases, an attacker may carry out a small demonstration attack to illustrate their seriousness before sending a ransom note. If the threat is genuine and the attacker decides to follow through with it, the attack is then carried out."
This scenario seems to fit in Voipfone's case. Could last month and Friday's DDoS attacks have been a warning for the latest disruption? We're yet to find out.
Another example of this form of protection racket is the Lazarus group's attack on a major Fortune 500 company. The group carried out a DDoS attack and demanded 20 bitcoins. It also threatened a larger wave of DDoS attacks and a subsequent larger ransom of 30 bitcoins if the company did not heed their initial demands.
The Avaddon group has also used this tactic to bring its victims back to the negotiation table, according to Heimdal Security, which says that Avaddon hit French insurance company AXA and gave it 10 days to make the payments or be hit with DDoS attacks.
Response to Attack
Eli Katz, chair of Comms Council UK - a membership-led organization that represents companies who provide or resell VoIP to business and residential customers - tells ISMG that several Comms Council UK members and international IP-based communications service providers have been subjected to DDoS attacks over the past four weeks. The attacks appear to be part of a coordinated extortion-focused international campaign by professional cybercriminals, he says.
"The council is liaising closely with the U.K. government, National Cyber Security Center, the Office of Communications and other international agencies to share information and details about the nature of the attacks in the expectation of halting this criminal activity at the earliest," Katz says.
"As our members supply telecoms services to critical infrastructure organizations including the Police, NHS and other public services, attacks on our members are attacks on the foundations of U.K. infrastructure. We are confident that, with a joined-up government-led initiative, this damaging criminal activity can be halted."
He did not elaborate on the collaboration.
Voipfone did not respond to ISMG's request for comment on the nature of the attack, threat actors involved, extent of damages and suggested mitigations.
Voipfone users have vented their frustration on social media, with one tweeting: "Seriously guys what is going on, my phone has been down for days again now. This is absurd." Another tweeted: "We still have services down, is this to be expected as your update reads as though services have been restored and should be working, with a risk of them going down again..? But some of ours haven't yet come back up...? Thx".
Voipfone responded with a tweet assuring customers that it "phone services should be up and running but if you are having any trouble at all then please contact firstname.lastname@example.org."
During the first instance of DDoS attacks in September, another Voice over InternetProtocol service provider, Voip Unlimited, was also targeted. At the time, the company had said that the attacks disrupted services such as calls, registrations and customer portal access and resulted in higher-than-usual latency.
Mark Pillow, managing director of the company, which is based on the southern coast of England, attributed the attack to Russian threat actor REvil, citing communication from Comms Council UK, according to news platform The Register.
As a remediation measure based on lessons learned from the attack, Pillow says Voip Unlimited now uses a security service from StackPath that aims to block access on certain trigger actions and displays the following page: