Hackers threaten to take down websites of Hong Kong banks unless they pay bitcoin ransoms
City's financial institutions are falling prey to cybercriminals who threaten to disable servers unless they pay up in bitcoins, experts say
Hackers have targeted banking institutions in Hong Kong with server-disabling attacks, threatening to take down their services unless they receive ransom payments, experts said on Thursday.
According to web security and performance firm Akamai, a group of cybercriminals known as DD4BC have been targeting websites in Asia and around the world with more than 100 distributed denial-of-service (DDoS) attacks since at least September 2014.
The attackers then demanded payment in the untraceable cryptocurrency bitcoin to stop the DDoS attacks, which can take down servers and cost businesses thousands of dollars per hour to fight against.
"DD4BC has been using the threat of DDoS attacks to secure bitcoin payments from its victims for protection against future attacks," said Akamai senior vice president Stuart Scholly.
"The latest attacks – focused primarily on the financial service industry – involved new strategies and tactics intended to harass, extort and ultimately embarass the victim publicly."
A spokeswoman for the Hong Kong Monetary Authority, the city's defacto central bank, would not comment on specific cases or attack methods.
However, she said that banks are required "to implement adequate controls to promptly detect and respond to the threats posed by [DDoS] or other cyber attacks that could directly or indirectly cause disruptions to e-banking systems".
The Hong Kong Computer Emergency Response Team, an industry advisory group, said that it had received at least one report of attempted blackmail by DD4BC hackers from a stock trading company.
HKCERT had referred the matter to police. As yet, the firm had not paid the ransom demanded or been struck with a further DDoS attack.
"This is a growing concern," said a spokesman. "It can occur to any enterprise, not just banks."
"DDoS attacks can deny online service providers access to their clients" and potentially cost them business, he said.
According to cybersecurity firm Incapsula, unmitigated DDoS attacks can cost upwards of US$40,000 per hour in lost business and server damage.
Attacks are launched from botnets, large groups of compromised or hacked machines managed from a central server to carry out a hacker's commands. Such networks have proliferated in recent years, particularly in mainland China and Vietnam, according to security firm FireEye.
Akamai researchers tracked the DD4BC for a year, recording how it initially targeted businesses and financial institutions with low-scale DDoS attacks.
"From June through July 2015, the attacks increased from low-level to more than 20 [gigabytes per second] in some cases," the firm said in a statement.
"The group would then demand a bitcoin ransom to protect the company from a larger DDoS attack designed to make its website inaccessible."
DD4BC hackers also threatened to expose targeted organisations on social media, creating additional reputational damage and embarrassment unless victims paid up.
The number of DDoS attacks has more than doubled in the last year, according to the latest State of the Internet - Security report.
"Malicious actors are continually changing the game by switching tactics, seeking out new vulnerabilities and even bringing back old techniques that were considered outdated," said John Summers, vice president of Akamai's cloud security business unit.
Such attacks can be difficult to protect against, but businesses can mitigate DDoS incidents by installing detection methods to identify them and spread the load. However, defending against determined actors can be incredibly difficult.
"Criminal ingenuity knows no bounds," said Paul Jackson, managing director of security firm Stroz Friedberg and former chief of the Hong Kong police's cybercrime and forensics unit.
"The underground economy is equally ingenious [at] compromising new technologies or using them for fraud."