Weekly Threat Report 18th August 2017

Created:  18 Aug 2017
Updated:  18 Aug 2017
NCSC building with logo
We would like your feedback on the Weekly Threat Report. Please send us your thoughts, suggestions and queries using our 'Contact Us' page.
This report is drawn from recent open source reporting

Hotels targeted across Europe and the Middle-East

Recent media reporting has highlighted a campaign targeting the hospitality sector.

The campaign, which reportedly started in July 2017 and may be linked to a similar campaign carried out during the autumn of 2016, is allegedly being carried out by Fancy Bear, also known as APT28. The group has also been implicated in the hack-and-leak campaign against the Democratic National Committee (DNC) during the 2016 US Presidential Elections.

Using EternalBlue, an exploit now infamous for its use in the WannaCry malware campaign, Fancy Bear have allegedly been seeking access to hotel Wi-Fi networks to install malware on guest devices connecting to targeted networks.  According to researchers, the attackers may have been able to gain access to victim’s data, including emails, and to harvest online credentials.

The hacking campaign, which has been noted predominantly in mid-upmarket hotels in European capitals and the Middle East, could be targeting foreign government and business travellers. Travellers should be aware of their digital security when travelling overseas. Where possible, travellers are advised not to connect to insecure or untrusted Wi-Fi networks.

Ukrainian post office DDoS and changes in attack methodology

In early August, the website of the national postal service of Ukraine, Ukrposhta, suffered multiple Distributed Denial of Service (DDoS) attacks occurring over two days. These attacks temporarily disabled the online systems used for tracking customer parcels and shipments. In June, the Ukrainian postal service was also significantly affected by the Petya/NotPetya worldwide ransomware attack which also affected Ukrainian banking, state-owned power companies, television and public transport services.

According to security company Imperva, repeated DDoS attacks, targeting the same network, have become more common possibly due to their ability to disrupt some security measures and cause fatigue to those in charge of attack mitigation forcing them to stay alert even in quiet times between attacks.

There have been some significant changes to the DDoS attack methodology over the last year with Imperva reporting that three quarters of those experiencing DDoS attacks in Q1 2017 were targeted multiple times. Since Q4 2016, the number of DDoS attacks has decreased by about one quarter but conversely the size of individual attacks increased by one quarter. According to internet security company, Verisign, in Q1 2017 58% of DDoS attacks targeted the IT services/cloud/SaaS industry, 28% targeted financial services and 6% targeted media and entertainment. The average cost of a DDoS attack, according to data service provider Neustar now exceeds $2.5 million in lost revenue.

US Internal Revenue Service warns of fake tax software update scam

Just in time for the seasonal upgrading of tax software in the U.S., the Internal Revenue Service (IRS) has warned of a scam that tricks tax professionals into downloading fake software updates, to harvest log in credentials.

The scammer sends phishing emails with the subject "Software Support Update" and emphasise the requirement for an important software update. To receive the fake update, the email asks the users to revalidate their log in credentials by inputting them into a website made to look like the software developer's portal. The credentials, once collected, are then used to access the tax professional’s account and steal client information.

Accountants and professional service providers often hold large amounts of personal information on their clients, so are a rich target for criminals seeking to access large amounts of sensitive data in a single attack. This threat is not unique to the U.S; scammers have similarly been seen targeting UK professionals in timely attacks that exploit key deadlines throughout the financial year.

Measures are already in place and there is further work underway, as part of the UK NCSC’s Active Cyber Defence programme, to prevent the spoofing of HMRC email addresses in similar UK tax-themed attacks. However, accountants and professional services firms should take mitigative steps to protect client data, as criminals may regard them as less resilient than their banking counterparts, and therefore an easier target. 


The Cyber Security Information Sharing Partnership (CiSP) is a great way of learning more about threat information as well as engaging with industry and government counterparts. Follow the link below for more information.

Join CiSP

Was this report helpful?

We need your feedback to improve this content.

Yes No