Executive Overview

The self-proclaimed group of cybercriminal calling themselves the ‘Armada Collective’ have once again made the headlines. It is speculated that this recent wave of attacks from this group are just a decoy using the name for bragging rights. Nefarious events dating back as early as 2015 from the Armada Collective have been reported with DDoS attacks conducted and ransomware campaigns orchestrated.

However, it is important to note that leaders in the industry are stating that the new Armada Collective is not the original crew and are merely using the stage name for decoy copycat purposes. The countries reported to have been originally attacked include Switzerland, Taiwan, and other various countries in the geographic region of Europe. As previously mentioned, the Armada Collective primarily attacked the financial industry demanding payment in the form of bitcoin.

We have included a a copy of the mass distro email disbursed on behalf of the crew that followed the basic ‘Spray and Pray’ campaign of phishing and spear-phishing TTP’s.

In the event that the victims do not make the ransomware payment they will be hit with a terminal DDoS (Distributed Denial of Service) attack. It should be noted that various cyber-security experts have deemed the majority of the threats in the past to be empty promises when victims were not fulfilling the ransom demand. Based on past recorded incidents not all companies that refused to pay the ransom were in fact DDoS’ed.

However, on June 15th 2017 a new string of malicious emails hit the wild targeting financial institutions in the geographic regions of China. The Armada Collective demanded 10 bitcoin in return for not disrupting, or completely halting network activity via a DDoS attack. NSFOCUS took immediate emergency actions and released a security advisory on June 16th to help each financial company to facilitate in strengthening their current security posture and guaranteeing that they were fail-safe and secure against the DDoS attack.

Documented Attack Data

As the ransom dates approached it was evident that the proclaimed Armada Collective were honest in their threats and followed through with the attacks. NSFOCUS captured the DDoS attack details of one of the financial institutions that fell prey to Armada and discovered a volumetric DDoS attack of 9 gigabytes total with an average 2.3 gigabyte per-second. The primary attack vectors were SYN and UDP floods as indicated in the graphs below:

NSFOCUS Protective Solutions

Cloud + On premise Data Scrubbing (In-line/Out-of-Band):

Supports multi-layer and in-depth traffic cleaning. The Cloud cleaning system is expert at mitigating large-scale attacks and the local ADS (Anti-DDoS-System) is flexible at customizing prevention policies that can be specifically tailored for defense in application-layer attacks. This combination can easily address DDoS attacks that may occur in OSI Layers 2/3/7.


Supplies 24/7 real-time monitoring of alerts to facilitate security experts, or SOC (Security Operations Center) in coordination of protective measures in the event of any suspected or actual DDoS attacks that may occur.

IP/URL Reputation:

Information, or Threat Intelligence is generated in the first wave of attacks and is later used in the subsequent protection to improve cleaning efficiency and prevention of future attacks through black/white listing. Moreover, proper use of actionable, timely, and confirmed Threat intelligence (TI) will enhance data scrubbing accuracy for customers globally.

2 Replies to “Armada Collective DDoS Attack”

Leave a Reply

Your email address will not be published. Required fields are marked *