Clues about who's behind recent cyber attacks on US banks

A series of cyberattacks on the websites of six US banks is probably not the sole work of hacktivists upset about a YouTube video that denigrates the Prophet Muhammad, as early reports had conjectured. Rather, the massive denial-of-service attacks appear to have been tightly orchestrated, possibly by a single group, and may have been a bid to divert attention from other, more subtle attacks.

Cybersecurity experts analyzing the distributed denial of service attacks (DDoS) – which shoot data from myriad computers to make it hard to block the attempt to clog the Internet pipes at the target site – are also waiting to see if the perpetrators will strike again this week. 

The first attack occurred Sept. 18. Between 9 and 10 a.m. EDT, security companies monitoring World Wide Web traffic noticed a sudden torrent of "junk" data directed at Bank of America – which soon became a deluge of about 65 gigabytes of information per second. That's about 15 to 30 times larger than is typically seen in such cyberattacks – roughly equal to data contained in 250,000 books shot at a bank website each second. Five similar DDoS attacks on other banks would follow.

Why, and who is behind the gigantic digital bombardments?

Messages left anonymously on the Pastebin website claim that a Middle Eastern hacktivist group – "Cyber fighters of Izz ad-din Al qassam," allied to the military wing of Hamas – was responsible for the attacks. The messages said the attacks are a response by thousands in the region angered by "Innocence of Muslims," a video made in the US and posted on YouTube that Muslims consider an affront to the Prophet Muhammad.

But experts say it appears that at least two attacks were occurring at once – one by a group of individuals, and the other by an entity controlling a relatively small number of powerful, high-speed Internet Web servers. Any attacks by activists during that time were only a veil masking a powerful, orchestrated attack conducted either by cybercriminals or possibly by Iran in retaliation for harsh economic sanctions, these experts say.

"On this particular attack, an Islamic group has claimed responsibility by saying they are doing the attacks for ideological motives," Dan Holden, director of research for the Security Engineering & Response Team at Arbor Networks, says in an e-mail interview. "If true, this would be classic hacktivism. However, Arbor thinks this could be a 'false flag' operation to divert attention away from the real attackers."

A leading indicator is the source of the digital firepower. The attack now appears to have emanated almost entirely from just 300 to 400 very powerful machines – Web servers – rather than from thousands of irate hacktivists allowing their own personal computers to be used to attack websites, Arbor and others say. These Internet workhorses, which usually employ their powerful processors to display many Web pages to the public simultaneously, were infiltrated and compromised – then used to attack the six banks.

Once contaminated by malicious software that turned over control to an unknown actor, the servers became a botnet – an army of zombie machines that did what they were told. On Sept. 18, the botnet was told to send data packets to strike Bank of America's servers, finally swamping them. The false flag, says Mr. Holden, was the effort by a tiny hacktivist campaign to provide cover for the huge botnet strike.

Bank of America was that day's target. JPMorgan Chase and Citigroup were hit later that week, causing their websites to slow or become inaccessible. Then, on Tuesday, Sept. 24, also between 9 and 10 a.m., attacks began again – this time directed at Wells Fargo. The next day, U.S. Bancorp and PNC's website were knocked down for a time, according to media reports.

1 | 2

Next