Someone is using the ‘Cozy Bear’ moniker to scare DDoS victims into bitcoin payments

Written by

It looks like scammers are impersonating one of Russia’s most notorious hacking groups in order to extort victims out of thousands of dollars worth of bitcoin.

Multiple companies have reported to the security vendor Akamai that they were hit with a distributed denial-of-service attack, which degrades victims’ web services by overwhelming them with fake traffic. After a brief DDoS hit, victims say they receive an extortion note from a group claiming to be Cozy Bear, a state-sponsored Russian hacking group.

The scheme works like this: attackers launch the DDoS attack from a botnet, in which each IP in the botnet sends a fraction of the overall traffic to the target. The victim has a deadline, typically six days, to pay two bitcoin. If they don’t pay by the time the deadline expires, the fee increases by one bitcoin per day, and the DDoS resumes.

Cozy Bear is best known for deploying customized malware in quiet, sustained attacks meant to gather intelligence on behalf of the Kremlin. The group is best known for its role in the hack of the Democratic National Committee prior to the 2016 U.S. presidential election. Cozy Bear has also targeted U.S. think tanks, defense contractors and ministries of foreign affairs in at least three European countries, according to findings made public in October by the antivirus firm ESET.

“What they’re not known for, though, are extortion campaigns,” Akamai said in its latest alert. “As such, Akamai believes the letter is from a copycat group leveraging the Cozy Bear name as a means to invoke fear and panic. Their extortion letter actually suggests victims perform a Google search on their name, which immediately returns results related to the infamous group.

Akamai did not speculate on the identities of the scammers behind the copycat effort.

This crime spree comes after a U.S. judge sentenced a 21-year-old man to 13 months in prison for running services that made it possible for attackers to launch millions of their own DDoS attacks with little fear of being apprehended. Sergiy Usatyuk, of Illinois, also was ordered to forfeit $542,925 earned as part of his DDoS-for-hire scheme, which hit a Pittsburgh school district, the county government and a Catholic Diocese in the area, according to the Department of Justice.