Industry group warns of coordinated DDoS extortion campaign against VoIP providers

An industry group for the UK telecommunications sector said this week that several of its members active in the Voice-over-IP (VoIP) market had been hit by Distributed Denial of Service (DDoS) attacks over the past month.

In a statement on Tuesday, the Comms Council UK said the DDoS attacks were "part of a coordinated extortion-focused international campaign by professional cyber criminals."

The organization did not share the name of the victims, but VoIP providers like Voipfone, VoIP Unlimited, and VoIP.ms have previously disclosed that they were the subject of DDoS extortion attempts since the end of August.

In addition, Bandwidth.com, an upstream provider for many VoIP companies, said it was also attacked as part of this extortion campaign, which the company said it managed to mitigate at the end of September.

The threat actors launched DDoS attacks and then sent emails requesting huge payouts to stop the attacks, knowing companies like VoIP providers could not afford to remain offline without incurring huge financial losses and pressure from their customers.

"The attackers took advantage of the unique characteristics of real-time communications, as well as the highly interconnected nature of our industry," Bandwidth.com CEO David Morken said earlier this month.

Cloudflare, which has been helping mitigate these attacks together with other DDoS mitigation providers, has also noted a recent focus on VoIP providers.

But despite the numerous reports around this campaign, the attackers do not appear to have been discouraged by media attention. The attacks are still ongoing at the time of writing, with Voipfone still dealing with a wave of DDoS attacks that began on Monday, according to the company's server status page.

Attacks have impacted critical infrastructure

All the affected companies said the attacks crippled their infrastructure and affected telephony and messaging services for their customers, resulting in prolonged, multi-day outages.

Chair of Comms Council UK, Eli Katz, said the attacks impacted "critical infrastructure organisations including the Police, NHS and other public services."

He described the DDoS extortion campaign as "attacks on the foundations of UK infrastructure."

Past DDoS ransom campaigns hit other sectors too

Coordinated DDoS attacks against selected industry sectors have happened before, and they appear to focus on industries that can't afford to go offline, even for a few minutes.

One year ago, in September 2020, a threat actor launched a similar campaign against EU-based internet service providers. At the time, the attacks hit Belgium's EDP, France's Bouygues Télécom, FDN, K-net, SFR, and the Netherlands' Caiway, Delta, FreedomNet, Online.nl, Signet, and Tweak.nl.

Other campaigns also targeted entities in the financial sector, such as banks and stock markets, campaigns that have taken place over late 2020 and the first half of 2021.

The Record reported over the weekend about one of the most recent of these DDoS extortion campaigns and which targeted privacy and security-focused email providers. Victims of these DDoS attacks, which continued throughout this week as well, included Runbox, Posteo, Fastmail, TheXYZ, Guerilla Mail, Mailfence, Kolab Now, and RiseUp.