Cyberattacks on US banks resume, aiming to block their websites

The latest cyberattack mirrors one in early fall that targeted websites of major US banks. Security experts say the attacks appear to be the handiwork of a group tied to Hamas, which the US lists as a terrorist organization. 

A massive new wave of cyberattacks aimed at blocking access to US banking websites has resumed after a three-month break, but with only mild impacts reported so far despite its size, cybersecurity experts report.

Cybersecurity experts analyzing the distributed denial of service (DDoS) attacks – which shoot data from myriad computers to clog the Internet pipes at the target site – say the attacks that began early Tuesday are similar to those that struck banks' website server computers in mid-September and continued for several weeks.

In the crosshairs are U.S. Bancorp, JPMorgan Chase, Bank of America, PNC Financial Services Group, and SunTrust Banks, according to a message posted Monday on pastebin.com by a purported Islamic hacktivist group, "Cyber fighters of Izz ad-din Al qassam," allied to the military wing of Hamas. All five were targeted – along with Capital One, Wells Fargo, Regions Bank, and HSBC – during the first attacks in September.

The message claims these latest “Phase 2 Operation Ababil” attacks are a mass popular response by Muslims to "Innocence of Muslims," a video made in the US and posted on YouTube that Muslims consider an affront to the Prophet Muhammad. "In [this] new phase," the group wrote, "the wideness and the number of attacks will increase explicitly; and offenders and subsequently their governmental supporters will not be able to imagine and forecast the widespread and greatness of these attacks."

But a growing body of technical evidence casts doubt on the assertion that thousands of disgruntled Muslims in the Middle East are behind the cyberattack. Rather, it points to a single group operating a large number of high-powered computer servers that have been hijacked to attack the banks, cybersecurity experts report.

Researchers for Arbor Networks, a cybersecurity company, have isolated the attacks as coming primarily from three botnets – a network of coopted machines that have become zombie slaves to an outside operator. One botnet in particular, called Brobot or "itsoknoproblembro," is being used in the bank attacks. Two other botnets, KamiKaze and AMOS, also are being used, according to Arbor Networks and Prolexic, another cybersecurity firm specializing in DDoS. 

The size of the attack is enormous but not unprecedented – in the range of 60 gigabytes per second. By comparison, during the December 2010 hacktivist-inspired "Operation Avenge Assange," DDoS attacks ranged in size from 2 gigabits per second to 4 gigabits, indicating perhaps 3,000 to 7,000 attackers at any one moment.

But on Sept. 18, security companies monitoring World Wide Web traffic noticed a sudden torrent of "junk" data directed at Bank of America, which soon became a deluge of about 65 gigabytes of information per second. That's about 15 to 30 times larger than is typically seen in such cyberattacks – roughly equal to data contained in 250,000 books shot at a bank website each second.

The attacks this week have been about the same size, but have included some increased technical sophistication that makes them difficult to fight. The difference this time is that the banks seem better prepared. The group had warned in its first note that more attacks would be coming.

"Some of this week’s attacks have been as large as 60Gbps," wrote Dan Holden and Curt Wilson, two Arbor Networks researchers, in a blog post on Thursday. "What makes these attacks so significant is not their size, but the fact that the attacks are quite focused, part of an ongoing campaign, and like most DDoS attacks quite public. These attacks utilize multiple targets, from network infrastructure to Web applications."

Some banks were reporting their websites still operating, although more slowly than usual. Customers reported access problems. One targeted bank, PNC, acknowledged the attack in a note to customers on its website.

"Targeted institutions have been working together with members of the security community and with government partners to help defend against the attacks," said the Financial Services Information Sharing and Analysis Center, an industry security group, in a Dec. 12 security update, a rare official acknowledgement of the attacks.

Who is behind the attacks remains open to speculation, although some experts suggest it could be Iran. The attacks are evidence of a tit-for-tat clandestine cyberwar between the US and Iran, stemming in part from the US unleashing of the Stuxnet cyberweapon again Iran's nuclear fuel enrichment facility, they say.

Sen. Joseph Lieberman (I) of Connecticut, chairman of the Senate Homeland Security and Governmental Affairs Committee, last month publicly blamed Iran, fingering its Quds Force, a military unit. Iran's government has denied any involvement in the bank attacks. Other officials contend there's little question of Iranian state backing.

"They have been going after everyone – financial services, Wall Street," a senior defense official speaking anonymously told The Wall Street Journal in October. "Is there a cyberwar going on? It depends on how you define war."