Islamic hacktivists' bank attack claims gain credibility

The denial of service attack that disrupted the Wells Fargo & Co. electronic banking operations Tuesday was the fourth since last week. And it appears to lend some credence to threats and claims that the Izz al-Din al-Qassam Cyber Fighters, the military wing of Hamas, the Islamic party that governs the Gaza Strip, are behind them.

The group claimed responsibility for DoS attacks against Bank of America, JPMorgan Chase and Citigroup Inc. that disrupted online operations, and said the attacks would continue "until the Erasing of that nasty movie" -- a reference to a trailer of the independent film "Innocence of Muslims," which Muslims say insults the Prophet Muhammed.

This week, it said it had conducted Tuesday's Wells Fargo attack and that its next targets would be U.S. Bancorp and PNC Financial Services. Reports surfaced on Wednesday saying customers of those two institutions were having trouble accessing their websites.

Since the attacks began, there have been multiple theories floated about the source.

U.S. Sen. Joseph Lieberman (I-Conn), chairman of the Senate Homeland Security Committee, said last week in an interview on C-SPAN's "Newsmakers" program that he believed a unit of Iran's Revolutionary Guard Corps was behind them.

Also last week, the FBI issued a fraud alert, warning financial services firms that cybercriminals might try to disrupt their websites in an effort to distract them from noticing fraudulent wire transfers.

Some security experts said at the time that they might not even be attacks, but simply internal technical problems, similar to what shut down GoDaddy recently. Or, that they might simply be low-level attacks by anti-capitalist groups with a political agenda.

And even now there is not unanimous agreement that Izz al-Din al-Qassam Cyber Fighters is behind all the attacks. The group has not made good on all of its threats. It had also said it would attack the New York Stock Exchange, but trading has continued normally there.

Dmitri Alperovitch, chief executive of CrowdStrike, a private security firm investigating the attacks, told the Los Angeles Times that the claims "appear to be accurate in terms of predicting future attacks. But I wouldn't necessarily take at face value any of its claims about attribution or the video."

Whatever their source, the attacks have prompted some renewed calls for more coordination between the private sector and government, which was the goal of the 2012 Cyber Security Act (CSA) that failed in Congress last month.

But so far, they have not been even close to catastrophic, partially because, as a number of security experts have noted, DoS attacks are among the oldest and most basic, and do not require highly skilled computer programmers or advanced expertise.

[Related stories: Banks can only hope for the best with DDoS attacks | Wells Fargo recovers after site outage | Theories mount on bank attacks, but experts stress defense | Arab hackers attack Western websites over film | Best defense against cyberattacks is good offense, says former DHS official]

Roger Thornton, CTO of AlienVault, called them "the digital equivalent of having a group of protesters block the entrance to a building or tie up the phone lines."

"These attacks can be a nuisance and can cause real damage or even physical harm at times -- if the 911 response system was tied up when you needed an ambulance, for example," he said. "But just like the protesters blocking a branch of the bank, a DDoS attack is very hard to prevent, somewhat inevitable regardless of your security posture and is not an attack that results in data stolen or systems permanently damaged."

And Thornton said there is already "a pretty good system for sharing threat data between the Department of Homeland Security and the financial services community today through a program run by FS-ISAC (Financial Services Information Sharing Analysis Center). There are already communication lines in place and these programs are part of the reason our banks are still operating in spite of such hostile threats."

Gary McGraw, CTO of Cigital, said he is a bit puzzled at all the interest in the recent wave of attacks. "These sorts of attacks happen all the time," he said. "I'm not sure why there seems to be more interested in these."

But he is certain that the banks don't need help from the government with DDoS attacks. "Google and Amazon don't need the government to help them with DDoS. That's ridiculous," he said.

Paul DeSouza of the Cyber Security Forum Initiative said the private sector and government have different roles to play. "The private sector should be responsible for deploying the necessary technologies and controls to include trained personnel to be able to continue to operate through and in cyberspace in the protection of their assets even under attack," he said.

"The role of the government should be of a supporting nature to include cyber intelligence and knowledge sharing capabilities," he said. "Offensive cyber responses are reserved to governmental actors with the appropriate authorities to engage in full spectrum cyber operations."

But Jody Westby, an attorney and CEO of Global Cyber Risk, said the problem is not so much coordination between the private and public sector in the U.S., but internationally.

"Cybercriminals today have effectively analyzed what jurisdictions lack skilled law enforcement, where cooperation is lacking or nil, and where cybercrime laws are either non-existent or civil penalties," she said.

"Meanwhile, we do not have effective cross-border cooperation and law enforcement support to counter the attacks. Until we address cybercrime, these attacks will continue to be sophisticated, ingenious, and successful," Westby said.

She said financial institutions do a good job overall in defending against attacks, but believes political leaders should at least be speaking out. "The President or State Department should show some diplomatic muscle," she said, even if the attacks are from a nation state. "Cyber Command does not have the legal authority to assist private sector networks."

She and others also say an executive order from the President to implement some of the provisions of the CSA, which is said to be close to being announced, would not help in this situation. "An executive order from the president could not expand the jurisdiction of the Defense Department and Cyber Command," she said.

Roger Thornton agrees. "Indicting and extraditing these actors from their home jurisdictions is next to impossible, so legal recourse is difficult," he said, adding: "I'm not sure there is much that [the President] could do."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place