Clues about who's behind recent cyber attacks on US banks
A Middle Eastern hacktivist group appeared to claim responsibility for massive denial-of-service cyber attacks on websites of six US banks. Some experts now say that claim is a 'false flag' to divert attention from the real attackers.
A series of cyberattacks on the websites of six US banks is probably not the sole work of hacktivists upset about a YouTube video that denigrates the Prophet Muhammad, as early reports had conjectured. Rather, the massive denial-of-service attacks appear to have been tightly orchestrated, possibly by a single group, and may have been a bid to divert attention from other, more subtle attacks.
Cybersecurity experts analyzing the distributed denial of service attacks (DDoS) – which shoot data from myriad computers to make it hard to block the attempt to clog the Internet pipes at the target site – are also waiting to see if the perpetrators will strike again this week.
The first attack occurred Sept. 18. Between 9 and 10 a.m. EDT, security companies monitoring World Wide Web traffic noticed a sudden torrent of "junk" data directed at Bank of America – which soon became a deluge of about 65 gigabytes of information per second. That's about 15 to 30 times larger than is typically seen in such cyberattacks – roughly equal to data contained in 250,000 books shot at a bank website each second. Five similar DDoS attacks on other banks would follow.
Why, and who is behind the gigantic digital bombardments?
Messages left anonymously on the Pastebin website claim that a Middle Eastern hacktivist group – "Cyber fighters of Izz ad-din Al qassam," allied to the military wing of Hamas – was responsible for the attacks. The messages said the attacks are a response by thousands in the region angered by "Innocence of Muslims," a video made in the US and posted on YouTube that Muslims consider an affront to the Prophet Muhammad.
But experts say it appears that at least two attacks were occurring at once – one by a group of individuals, and the other by an entity controlling a relatively small number of powerful, high-speed Internet Web servers. Any attacks by activists during that time were only a veil masking a powerful, orchestrated attack conducted either by cybercriminals or possibly by Iran in retaliation for harsh economic sanctions, these experts say.
"On this particular attack, an Islamic group has claimed responsibility by saying they are doing the attacks for ideological motives," Dan Holden, director of research for the Security Engineering & Response Team at Arbor Networks, says in an e-mail interview. "If true, this would be classic hacktivism. However, Arbor thinks this could be a 'false flag' operation to divert attention away from the real attackers."
A leading indicator is the source of the digital firepower. The attack now appears to have emanated almost entirely from just 300 to 400 very powerful machines – Web servers – rather than from thousands of irate hacktivists allowing their own personal computers to be used to attack websites, Arbor and others say. These Internet workhorses, which usually employ their powerful processors to display many Web pages to the public simultaneously, were infiltrated and compromised – then used to attack the six banks.
Once contaminated by malicious software that turned over control to an unknown actor, the servers became a botnet – an army of zombie machines that did what they were told. On Sept. 18, the botnet was told to send data packets to strike Bank of America's servers, finally swamping them. The false flag, says Mr. Holden, was the effort by a tiny hacktivist campaign to provide cover for the huge botnet strike.
Bank of America was that day's target. JPMorgan Chase and Citigroup were hit later that week, causing their websites to slow or become inaccessible. Then, on Tuesday, Sept. 24, also between 9 and 10 a.m., attacks began again – this time directed at Wells Fargo. The next day, U.S. Bancorp and PNC's website were knocked down for a time, according to media reports.
The attacks seemed more sophisticated than what is typical for a DDoS incident, some experts say.
"It's not just a volumetric attack," says Scott Hammack, chief executive officer of Prolexic, a computer security firm with close ties to the financial industry. "The perpetrators really did their homework. This isn't a kid in his bedroom in Brooklyn doing these attacks. They've done months of reconaissance."
Michael Smith, a senior security expert at Akamai Technologies, a Boston-based Web-acceleration company that on any given day processes as much as one-third of all World Wide Web traffic through its 130,000 global servers, isn't buying the idea that the cyberattacks on the banks were the work of hacktivists, either.
"The attacks we were receiving on our servers were fairly homogeneous – very, very uniform," Mr. Smith says. "It makes me believe it's not a true hactivist attack. There's some recruiting going on, but there's nowhere near the amount of people involved that would be needed for this volume. Add to that, the attack patterns we are seeing [at the various banks] are all the same."
That uniformity is unlike the technological flailing of an army of activists, busily downloading malicious botnet software onto their own computers and letting fly, he says, having seen such an event before.
During the December 2010 hacktivist-inspired "Operation Avenge Assange," Akamai was hit by DDoS attacks in the range of 2 gigabits to 4 gigabits per second, indicating perhaps 3,000 to 7,000 attackers at any one moment. In the bank DDoS cases last month, the attacks were 15 to 30 times more powerful, implying as many as 65,000 attackers – many more than apparently participated, he says.
"This whole thing looks like someone trying to create confusion about what they're doing – a false flag," Smith says. "Look, the only primary sources or evidence that this is a hacktivist attack are two postings on Pastebin, and anyone can do that."
That leaves the usual suspects, he says: Eastern European cybercrime groups trying to cover their operations, or a state actor, such as Iran, seeking revenge for US-led economic sanctions or past Stuxnet cyberattacks on its nuclear-fuel refining facilities.
"When you have something like fraud, followed by DDoS, it's almost always Eastern Europeans running fraud scams, because that's what they're good at and they like that," Smith continues. "But I've heard people talk about nation state actors. It could be."
Lending some credence to the cybergang theory, the Federal Bureau of Investigation on Sept. 17 published a "fraud alert" that advised financial services firms that cybercriminals might soon be disrupting websites to prevent banks from noticing a jump in fraudulent wire transfers. Two days later, industry group Financial Services Information Sharing and Analysis Center raised its threat level, too.
Others, however, insist that Iran remains a likely suspect. Iran has been working to build its cyberwarfare capabilities. Last month, Iranian officials claimed that a cyberteam known as Iranian DataCoders Security Team had hacked nearly 400 Israeli websites.
Sen. Joseph Lieberman (I) of Connecticut, chairman of the Senate Homeland Security and Governmental Affairs Committee, last month publicly blamed Iran, fingering its Quds Force, a military unit. Iran's government has denied any involvement in the bank attacks.
But that hasn't stopped fingers from pointing privately in Iran's direction.
"I was told it was 'Iran' without being told the exact details of how this was determined before Lieberman said his thing," says a Washington-based cyberexpert who asked not to be named. "Everyone says it came from Iran."