Experts unsure whether Iran is behind bank DDoS attacks

Sophistication of attacks points to possible state sponsor, but there's no proof yet, say security experts

Though U.S. officials blamed Iran for an ongoing stream of distributed denial of service attacks (DDoS) against major U.S. banks, security experts say there's not enough evidence yet to assign blame.

The security experts say that the attacks over the past few months appear to be very well planned and that the attackers have much knowledge of the weak spots in U.S. financial services networks, which could make them state sponsored.

Meanwhile, the ongoing attacks have reportedly prompted some banks to seek the help of the National Security Agency (NSA).

The Washington Post on Friday quoted an unnamed bank official as saying that banks are seeking NSA help due to a growing sophistication of DDoS attacks against them.

Earlier this week, the New York Times quoted a former official in the U.S State and Commerce Department as saying that there is "no doubt" within the U.S. government that Iran is behind the attacks.

A group calling itself "Izz ad-Din al-Qassam Cyber Fighters" has claimed responsibility for a series of DDoS attacks against several large U.S. banks including Wells Fargo, JP Morgan Chase, Bank of America and U.S. Bancorp.

The group claims to be based in Iran and says the attacks are in protest of YouTube's refusal to take down a trailer of the controversial anti-Islam movie that roiled much of the Middle East last year.

The DDoS attacks began last September and have shown no signs of abating.

If anything, the attacks have become more sophisticated and disruptive, said Scott Hammack, chief executive officer at Prolexic Technologies, a security firm that has been helping some of the largest U.S. banks fend off the attacks.

Unlike past DDoS attacks, the ongoing attacks are much more high-bandwidth and more frequent, Hammack said. For instance, Prolexic recently observed high-bandwidth attacks against two separate banks that were launched at the same time.

One of the attacks generated 75GBps of DDoS traffic while the other generated 45GBps. Such high-bandwidth attacks, which used to occur once or twice a year, have become almost routine, he said.

Unlike past DDoS attacks, in which attackers commanded hundreds of thousands of infected PCs to send streams of useless traffic to targeted systems, the latest ones involve thousands of comprised servers capable of generating far greater DDoS traffic, he said.

Whoever is behind the attacks also appears to be using so-called "push technology" to control the infected servers in real-time he said.

The technology allows attackers to turn on and turn off DDoS attacks and redirect DDoS streams at will, Hammack said. "They have a very good knowledge of what infrastructure to go after, particularly weak spots in the infrastructure," he said.

Defending against the attacks has been challenging because the servers used to launch them "are being told what to do in real-time," he said. However, the line of attack also "leaves the attackers completely exposed," which is how the U.S. government appears to know who is behind the attacks, he added.

"The attackers have been very brazen. This is being done by someone who doesn't really care about their identify being tracked," Hammack said.

He declined to speculate on the identity fo the attackers.

Retired Rear Admiral Mike Brown, vice president of RSA's federal business group, said there is currently no evidence that the attacks are state sponsored.

"But that can't be counted out of the realm of possibility given the pressure Iran is under from the U.S. and the international community," Brown said. "At the very least, Izz ad-Din al-Qassam appears to be a hacktivist group that is motivated by a nationalist agenda."

He also wouldn't speculate on the identity of the hackers.

Generally, nation states with a serious interest in cyber espionage and cyberwarfare usually employ substantial resources to develop custom malware and exploits for such attacks, he said.

Gartner analyst Avivah Litan noted that U.S. banking regulators such as the Office of the Comptroller of Currency (OCC) have pointed to multiple groups as potential attackers.

"Some are politically motivated and others are financially motivated," Litan said. "Most important, the DDoS attacks have in fact led to or been associated with fraud and customer account takeover," she said.

Regardless of who is behind the attacks, banks need to take them seriously, Litan said.

"They must revisit their network configurations and re-architect them in order to minimize the damage," she said. "For example, they should distribute and decentralize their DNS and Web application servers as much as possible, and set various parameters to deflect the damage that a DDoS attack can do."

The banks must also strengthen backup processes and organizational support to deal with the fallout from such attacks, Litan said. "Banks must deploy layered security and fraud prevention, as outlined in FFIEC guidance to mitigate financial damage from these attacks," she added.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and Hackingnew york timesNational Security AgencyBank of AmericaFinancial ITsecuritywashington postWells Fargo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place