SAN FRANCISCO The attackers hit one U.S. bank after the next. As in so many previous attacks, dozens of online banking sites slowed, hiccupped or ground to a halt before recovering several minutes later.
But there was something disturbingly different about the wave of online attacks on U.S. banks in recent weeks. Security researchers say that instead of exploiting individual computers, the attackers engineered networks of computers in data centers, transforming the online equivalent of a few Chihuahuas into fire-breathing Godzillas.
The skill required to carry out attacks on this scale has convinced U.S. government officials and security researchers that they are the work of Iran, most likely in retaliation for economic sanctions and online attacks by the United States.
“There is no doubt within the U.S. government that Iran is behind these attacks,” said James Lewis, a former official in the departments of State and Commerce and a computer security expert at the Center for Strategic and International Studies in Washington.
Lewis said the amount of traffic flooding U.S. banking sites was “multiple times” the amount that Russia directed at Estonia in a monthlong online assault in 2007 that nearly crippled the Baltic nation.
U.S. officials have not offered any technical evidence to back up their claims, but computer security experts say the recent attacks showed a level of sophistication far beyond that of amateur hackers. Also, the hackers chose to pursue disruption, not money. That’s another earmark of state-sponsored attacks, the experts said.
“The scale, the scope and the effectiveness of these attacks have been unprecedented,” said Carl Herberger, vice president of security solutions at Radware, a security firm that has been investigating the attacks on behalf of banks and cloud service providers. “There have never been this many financial institutions under this much duress.”
Since September, intruders have caused major disruptions to the online banking sites of Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC. They employed distributed-denial-of-service attacks. No bank accounts were breached, and no customers’ money was taken. Herberger declined to say which cloud service providers had been compromised.
Assault on the clouds
By using data centers, the attackers are simply keeping up with the times. Companies and consumers are increasingly conducting their business over large-scale “clouds” of networked computer servers. But how, exactly, attackers are hijacking data centers and using their computing power to take down banking sites is still a mystery.
A hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters has claimed in online posts that it was responsible for the attacks. The group said it attacked the banks in retaliation for an anti-Islam video that mocked the Prophet Muhammad, but U.S. intelligence officials say the group is a cover for Iran.
Researchers at Radware found the traffic was coming from data centers around the world. They discovered that various cloud services and public hosting services were infected with a particularly sophisticated form of malware, called Itsoknoproblembro, designed to evade detection by antivirus programs.