Cyberattacks on US banks resume, aiming to block their websites

The latest cyberattack mirrors one in early fall that targeted websites of major US banks. Security experts say the attacks appear to be the handiwork of a group tied to Hamas, which the US lists as a terrorist organization. 

Brendan McDermid/Reuters/Files
Tourists walk past a Bank of America banking center in Times Square in New York in this June 2012 photo.

A massive new wave of cyberattacks aimed at blocking access to US banking websites has resumed after a three-month break, but with only mild impacts reported so far despite its size, cybersecurity experts report.

Cybersecurity experts analyzing the distributed denial of service (DDoS) attacks – which shoot data from myriad computers to clog the Internet pipes at the target site – say the attacks that began early Tuesday are similar to those that struck banks' website server computers in mid-September and continued for several weeks.

In the crosshairs are U.S. Bancorp, JPMorgan Chase, Bank of America, PNC Financial Services Group, and SunTrust Banks, according to a message posted Monday on by a purported Islamic hacktivist group, "Cyber fighters of Izz ad-din Al qassam," allied to the military wing of Hamas. All five were targeted – along with Capital One, Wells Fargo, Regions Bank, and HSBC – during the first attacks in September.

The message claims these latest “Phase 2 Operation Ababil” attacks are a mass popular response by Muslims to "Innocence of Muslims," a video made in the US and posted on YouTube that Muslims consider an affront to the Prophet Muhammad. "In [this] new phase," the group wrote, "the wideness and the number of attacks will increase explicitly; and offenders and subsequently their governmental supporters will not be able to imagine and forecast the widespread and greatness of these attacks."

But a growing body of technical evidence casts doubt on the assertion that thousands of disgruntled Muslims in the Middle East are behind the cyberattack. Rather, it points to a single group operating a large number of high-powered computer servers that have been hijacked to attack the banks, cybersecurity experts report.

Researchers for Arbor Networks, a cybersecurity company, have isolated the attacks as coming primarily from three botnets – a network of coopted machines that have become zombie slaves to an outside operator. One botnet in particular, called Brobot or "itsoknoproblembro," is being used in the bank attacks. Two other botnets, KamiKaze and AMOS, also are being used, according to Arbor Networks and Prolexic, another cybersecurity firm specializing in DDoS. 

The size of the attack is enormous but not unprecedented – in the range of 60 gigabytes per second. By comparison, during the December 2010 hacktivist-inspired "Operation Avenge Assange," DDoS attacks ranged in size from 2 gigabits per second to 4 gigabits, indicating perhaps 3,000 to 7,000 attackers at any one moment.

But on Sept. 18, security companies monitoring World Wide Web traffic noticed a sudden torrent of "junk" data directed at Bank of America, which soon became a deluge of about 65 gigabytes of information per second. That's about 15 to 30 times larger than is typically seen in such cyberattacks – roughly equal to data contained in 250,000 books shot at a bank website each second.

The attacks this week have been about the same size, but have included some increased technical sophistication that makes them difficult to fight. The difference this time is that the banks seem better prepared. The group had warned in its first note that more attacks would be coming.

"Some of this week’s attacks have been as large as 60Gbps," wrote Dan Holden and Curt Wilson, two Arbor Networks researchers, in a blog post on Thursday. "What makes these attacks so significant is not their size, but the fact that the attacks are quite focused, part of an ongoing campaign, and like most DDoS attacks quite public. These attacks utilize multiple targets, from network infrastructure to Web applications."

Some banks were reporting their websites still operating, although more slowly than usual. Customers reported access problems. One targeted bank, PNC, acknowledged the attack in a note to customers on its website.

"Targeted institutions have been working together with members of the security community and with government partners to help defend against the attacks," said the Financial Services Information Sharing and Analysis Center, an industry security group, in a Dec. 12 security update, a rare official acknowledgement of the attacks.

Who is behind the attacks remains open to speculation, although some experts suggest it could be Iran. The attacks are evidence of a tit-for-tat clandestine cyberwar between the US and Iran, stemming in part from the US unleashing of the Stuxnet cyberweapon again Iran's nuclear fuel enrichment facility, they say.

Sen. Joseph Lieberman (I) of Connecticut, chairman of the Senate Homeland Security and Governmental Affairs Committee, last month publicly blamed Iran, fingering its Quds Force, a military unit. Iran's government has denied any involvement in the bank attacks. Other officials contend there's little question of Iranian state backing.

"They have been going after everyone – financial services, Wall Street," a senior defense official speaking anonymously told The Wall Street Journal in October. "Is there a cyberwar going on? It depends on how you define war."

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Cyberattacks on US banks resume, aiming to block their websites
Read this article in
QR Code to Subscription page
Start your subscription today