ApophisSquad & 4SPEC7 DDoS ProtonMail

ApophisSquad and 4SPEC7 DDoS ProtonMail. Potential risk to British business.

Target: ProtonMail, ProtonVPN as well as Radware and other DDoS mitigators.
Attack Vector: DDoS attack. SSDP and TCP SYN multi-vector observed.


Threat Actor: ApophisSquad and affiliated group 4SPEC7.
Summary: ApophisSquad has been observed continuing their already significant volume of activity, attacking multiple targets during June. This included hoax bomb threats in addition to attacks which appeared to primarily target British businesses. An affiliate of the group, possibly a subsidy and known as 4SPEC7, has also joined the group in attacking multiple targets with similar tactics. Of significance is the targeting of ProtonMail, an encrypted email service, with a DDoS attack. Further reports indicate the ProtonVPN service had also been affected by the attacks sustained for several hours and causing multiple outages of a few minutes at a time. Risk assessment summary: This threat is assessed as 3d MODERATE. The groups have historically been observed targeting British businesses and with this attack initially cited as a test, the likelihood of further DDoS campaigns are high. An attack would also likely target organisations in Britain as opposed to other nations, making the risk more relevant. This is likely due to the Russian links the group’s are alleged to hold, and the political fallout between the two nations. Businesses targeted are usually high-profile as the group continuously aims to achieve as much attention and recognition as possible. In June, the threat actors demonstrated their capability to deliver enormous attacks, using multiple variants of the DDoS attack vector, revealing the ability to customise attacks to achieve the greatest possible damage.


ApophisSquad activity increases; threat to British entities

Target: Large/government related British corporations, schools and gaming sector.
Attack Vector: Hoax threats, DDoS attacks, data leaks.
Threat Actor: ApophisSquad.
Summary: Since late 2017 increasing activity has been observed from the hacktivist group known as ApophisSquad. The group have been particularly active since March with the brunt of their activity targeted towards British institutions. The group have been observed sending hoax threats, conducting DDoS attacks and carrying out data leaks. These have all been carried out against various high-level targets, some related to government as well as major banks, such as Barclays UK. In addition, the group has promised further attacks. Risk assessment summary: This threat is assessed as 3b MODERATE. The release of open source tools which any threat actor can use is a significant risk in the long term. Many threat actors are restricted from carrying out DDoS attacks or gaining leaked credentials due to insufficient capacity or intelligence. The use of these tools will enable threat actors to overcome this barrier. The threat actor has also displayed an expert execution of DDoS attacks on numerous instances and also appears to prefer targeting big businesses and the gaming industry.

The chance of further attacks is also high, with the group indicating they will continue and also plan to release their DDoS tool which is still in development. In addition, the group has repeatedly disrupted the same targets, suggesting further repeated attacks are possible. However, there is no indication that the group is state-owned, which may alleviate the possibility of a tit-for-tat situation developing.