Banks fighting cyberattacks unlikely to get government relief soon

Banks seeking help from the U.S. government in battling a campaign of cyberattacks that defense officials say is being led by the Iranian government are unlikely to get much relief without a diplomatic solution, security experts say.

Several affected banks, including PNC Financial Services Group, SunTrust Banks and BB&T, want the government to stop or at least lessen the severity of the denial-of-service attacks that started about a year ago, The Wall Street Journal reported on Wednesday. The Iranian government has denied any involvement.

Because financial institutions typically have sophisticated defenses around online banking sites, the fact they are seeking help is an indication of the sophistication and intensity of the threat. Banks have already spent millions of dollars in battling the attackers.

While no customer or account data has been stolen, the cyberattacks have taken their toll on the bank's profits, as well as customer confidence, the report said. U.S. officials say they are looking at options, which could include retaliation.

Outside of reaching a diplomatic solution, options available to the government would unlikely stop the attacks quickly, experts say. Blocking the attacks or taking down the botnet behind them would be difficult because of the complexity of the infrastructure.

"Because botnets are infected hosts living all around the globe, there is no easy way to just block them," said David Hobbs, director of security solutions at Radware. "Computers and servers are compromised daily and often belong to legitimate companies worldwide."

Another option suggested by the banks included having the government work with Internet service providers to block malicious traffic coming from computers in Iran. However, Scott Hammack, chief executive of Prolexic Technologies, said that would be difficult, given that traffic in the bank attacks are coming from compromised systems in Europe, the U.S. and Asia. Some of the banks affected by the campaign are customers of Prolexic, which specializes in denial-of-service attacks.

"[Law enforcement] have been trying to do that to a certain extent ... but those infrastructures are so complicated it's difficult to pin down what's doing what," Hammack said.

Something the government could do that the banks can't is to launch a retaliatory strike. But such a move would make the situation much worse, Hammack said.

"You could try to attack Iran with some sort of offensive [cyber] weapons and take down some of their infrastructure, but then you're going to create something that's going to escalate and inflame quite a few other Arab neighbors," he said.

In general, the banks are likely to be "on their own for awhile," Hammack said. "I don't think the government is going to get involved in building something out to create a defensive measure that the banks can lean on."

[See related: U.S. bank cyberattacks reflect 'frightening' new era]

The unusually potent attacks started early last year with Bank of America, investigators told The Journal. After attacking oil and gas companies in the Persian Gulf during the summer, the attackers turned their attention once again to banks in September.

The amount of bogus traffic directed at bank websites in an attempt to overwhelm them reached as high as 60 to 70Gbps, which is many multiples higher than the typical denial-of-service attack. For example, Arbor Networks estimated that the average attack in September was 1.67 Gbps.

The sophistication of the attacks point to a state-sponsored action, researchers believe. Prolexic reported in October that a toolkit used in some of the attacks flooded the infrastructure and application layers of the bank's websites simultaneously. In addition, the traffic signatures were unusually complex and therefore difficult to reroute.

While botnets of mostly compromised PCs are used in the majority of cyberattacks, traffic sent against the banks was generated by compromised servers with 200 to 300 times more capacity than a personal computer, researchers say. Investigators told The Journal that tens of thousands of infected servers running corporate websites have been used.

The attacks have affected most of the top dozen U.S banks, which have had their sites disrupted or taken offline for short periods of time. In October, Defense Secretary Leon Panetta said the Pentagon was prepared to take action if the country was threatened by a computer-based attack.

While the U.S. is blaming Iran, the Middle Eastern country blames the U.S. and Israel for sending the Stuxnet worm that destroyed centrifuges in Iranian nuclear facilities in 2009. Quoting unidentified sources, The New York Times reported last year that Stuxnet was the work of the U.S. and Israeli governments.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsbank attacksData Protection | MalwareThe Wall Street Journallegalfinancesoftwareindustry verticalsdata protectioncybercrime

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts