DDoS attacks against banks raise question: Is this cyberwar?

It's been a month of crippling denial-of-service attacks on websites operated by U.S. banks and financial services firms. A terrorist organization called Al-Qassam takes credit online, but now the attacks are being blamed on Iran.

Background: Iran denies launching cyberattacks on U.S. banks

So is this just another case of cybercrime, or something entirely different? Could this be cyberwar?

Within the past month, crushing blasts of 65Gbps traffic, mainly from thousands of compromised Web servers, has targeted Bank of America, Wells Fargo, US Bank, JP Morgan Chase, Sun Trust, PNC Financial Services, Regions Financial and Capital One. The attacks have effectively cut bank customers off from online services for extended periods.

An Islamic group called the Izz ad-Din Al-Qassam Cyber Fighters claimed credit for most of the distributed denial-of-service (DoS) attacks that started Sept. 18 with Bank of America. A hacktivist group associating itself with Anonymous claimed responsibility for the DDoS against HSBC that started Oct. 18. Banks have been busy apologizing to customers for service disruptions.

PNC Financial Services CEO James Rohr, acknowledging last week on CNBC that the DDoS attacks had "really pummeled us," noted cyberattacks "really disrupt this country."

That followed U.S. Secretary of Defense Leon Panetta's lengthy speech on Oct 11 before a New York business group in which he said the U.S. needs to be on guard against a "cyber Pearl Harbor." He said if attackers launched destructive attacks on America's critical infrastructure networks, the president would ask the Defense Department to respond with both cyberweapons and traditional weapons.

But respond against who, what and where?

The first round of attacks proved so severe to banks such as Wells Fargo and Bank of America that U.S. government officials are making accusations.

Sen. Joe Lieberman (I-Conn.) blamed Iran directly, while U.S. national security officials said it behind a curtain of secrecy to the media. For its part, Iran has officially denied any involvement.

Iran as the source of the cyberattacks on banks "is a good possibility" said Darren Hayes, professor in computer forensics at Pace University at the Seidenberg School of Computer Science and Information Systems.

Hayes notes that Iran last May had its own banking system disconnected from the global SWIFT financial transaction network as a sanction regarding its aspirations. Along with other international sanctions, "this is crippling their economy," Hayes said, adding he doubts the government would speak so directly about Iran if it didn't have some kind of intelligence.

Avivah Litan, a Gartner analyst specializing in security used in e-commerce and the financial industry, says the string of attacks do appear to have their origins in the Middle East where the tumult of cyber-conflict is ongoing.

Litan says her sources have examined attack code used against the U.S. banks and regard it as the same code used against Israeli targets, such as the Tel Aviv Stock Exchange and the El Al Airline website, back in January. That round of DDoS attacks last January was endorsed by the group Hamas, which is widely believed to be funded by Iran.

At least some of these DDoS attacks against Israeli targets arose from networks in Saudi Arabia, and retaliation from Israeli hackers calling themselves IDF-TEAM ended up going after targets such as the Saudi Stock Exchange and the Abu Dhabi Securities Exchange, according to reports from the Israeli news organization Haaretz.com. Saudi Arabia this year has suddenly become a center of attention in other ways, too.

In August, Saudi Arabia's national energy company, Saudi Aramco, had to fend off a targeted malware attack against its enterprise systems, repairing 30,000 workstations that were infected with a malicious virus dubbed Shamoon wiping out data content, with a group calling itself the "Cutting Sword of Justice" claiming responsibility for the attack. A similar malware attack hit RasGas of Qatar.

To top it off, Saudi Arabia this year suddenly came out of nowhere to become the top spam-sending country in the world this year, according to a Trend Micro report this week. However since DDoS attacks and spam distribution are often carried out by exploiting compromised computers, it's not necessarily clear who is actually behind an attack.

"Iranians have done conflict by proxy very effectively for 30 years, so adding cyberattacks into it isn't surprising," says Chris Bronk, professor in information technology policy at Rice University.

The sanctions against Iran, such as the SWIFT banking network cut-off, mean the country "is squeezed at this point." Does this all add up to cyberwar? Bronk says so far this has been a murky conflict falling far short of any call for bombs and invasions.

There's also speculation that because the U.S. and Israel are believed to have originated the Stuxnet malware attack on the Iranian facility suspected of helping develop an Iranian nuclear bomb that story was broken by the New York Times this June -- that Iran is now gearing up its own cyber-weapons program to lash out at the U.S.

One of the most disturbing parts about the DDoS attacks on the U.S. banks is that the banks have not yet shown they can defend themselves, Litan says. The attackers themselves simply stopped on their own, she says, probably to try and erase their tracks so as not to get caught. "The banks knew the end points and the servers," she says. "They never nailed the people behind the attacks."

Radware, the Israeli-based firm that makes anti-DDoS gear, has voiced deep doubts that the attacks originated with shadowy Islamic group Al-Qassam but decline to say much more. Mike Smith, senior security evangelist at Akamai, is also doubtful about any Al-Qassam role.

"Before September, Al-Qassam was suicide bombers who shot people," Smith said, and they're aligned with Hamas and the Palestinians. He doubts that Al Qassam suddenly acquired cyberwarfare capabilities. Several of the banks whose websites were under attack are Akamai customers, so Smith has some perspective on how the attacks proceeded. And it's left him thinking these attacks may have been simply a distracting mechanism to throw banks off guard while cyberattackers went after what they really wanted taking over bank employee computers with ZeuS Trojan malware and the like in order to be able to steal bank funds.

The attacks follow a routine pattern each week, says Smith. On Monday, a posting online at Pastebin, said to come from Al-Qassam, announces the targeted financial institution, and on Tuesday, Wednesday and Thursday, the DDoS attacks come roaring.

The DDoS attack, proceeding methodically from website to website of the bank, reaches a stream of 65Gbps traffic. This stream hits each bank server, making it unavailable to customers, for up to about 20 hours. It moves on from website to website of the same bank. Then the pattern repeats itself at another bank, and another. He says no bank has yet found a way to fully mitigate against the attacks, though he notes there are things being done with help from ISPs and others.

But the odd coincidence in all this is that the day before the attacks started, the financial services group called Financial Services Information Sharing and Analysis center (FS-ISAC), which coordinates on security issues with the Department of Homeland Security, issued an advisory warning of an increase in bank-employee computer takeovers based on financial theft malware, such as ZeuS.

It's well-known in the security industry that DDoS attacks and cybercrime attacks often coincide since DDoS helps fraudsters carrying on elaborate cybercrime to steal funds or carry out other evil deeds. "It delays the response, the forensics," says Smith.

Smith suspects that the methodical round of DDoS attacks on the bank websites may simply be one element in something vaster fraud carried out by crime rings, such as those in Eastern Europe. Banks seldom disclose their fraud rates something that has frustrated the FBI in the past so it might not be known for some time if it's this kind of cybercrime that's been underway the past month. In any event, Smith adds that until there's more proof brought forward, he personally doesn't think the culprit in all this is Iran either.

This week has been quiet so far on the banking front. Smith points out that a DDoS attack in and of itself is mainly an inconvenience for banking customers since they can go through other channels, such as phoning the bank or visiting it, to conduct their business.

Some in industry say DDoS attacks are pretty common.

Dan Farrell, the director of network operations at web-hosting company Applied Innovations in Boca Raton, Fla., says his firm sees DDoS attacks more and more, about once a month. Most of the time, it's a customer who's targeted, some even receiving extortion threats. Applied Innovations uses Corero's anti-DDoS product, which mitigates the worst of it by dropping attack packets, with the real challenge being in determining the difference between DoS and legitimate traffic.

One of the more memorable incidents related to DDoS attacks arose against the e-commerce sites of two retailers, notes Farrell. It turned out their competitors in the retail space were DDoSing them, but it was possible to shield them from it.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags HSBCfinanceWells Fargoindustry verticalsbanksCapitacybercrimeCNBCAnonymousDDoS attacksBank of Americasecuritylegal

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts