GOLD FLANDERS

GOLD FLANDERS is a financially motivated group responsible for distributed denial of service (DDoS) attacks linked to extortion emails demanding between 5 and 30 bitcoins. The attacks consist mostly of fragmented UDP packets (DNS and NTP reflection) as well as other traffic that can vary per victim. The arrival of the extortion email is timed to coincide with a DDoS attack consisting of traffic between 20 Gbps and 200 Gbps and 12-15 million packets per second, lasting between 20 and 70 minutes targeted at a particular Autonomous System Number (ASN) or group of IP addresses. In some cases, victim organisations have replied to these extortion emails and received personal replies from GOLD FLANDERS operators within 20 minutes.

The extortion emails claim to be from high-profile APT threat groups such as "Fancy Bear", "Cozy Bear" and "Lazarus". However, CTU researchers assess that these names are being used to apply extra gravitas to the threats and GOLD FLANDERS is in no way associated with the actual APT threat groups it claims to represent. There is also no indication of any network compromise linked to this DDoS activity.

In only a fraction of cases has there been any reported follow-up DDoS attack as threatened. Organizations who use the six-day grace period allowed by GOLD FLANDERS to implement network DDoS filtering controls have reported no alerts of further attacks.