Iran Peppers US Banks With Steady Barrage of Cybertraffic
Banks in the U.S. have again become the target of sophisticated distributed denial of service attacks. The volume of traffic and speed at which they're changing attack vectors point to a state-sponsored source. "Banks are prime targets because they're very high-profile," said Scott Hammack, CEO of Prolexic. "I think the attackers are trying to embarrass and discredit the United States."
Jan 9, 2013 1:34 PM PT
Iran is behind a wave of distributed denial of service attacks that hit U.S. banks in the past few weeks, according to a report in The New York Times.
The amount of traffic flooding American banks' sites was several times the volume Russia aimed at Estonia in a month-long online assault back in 2007, said James A. Lewis, senior fellow and director at the Center for Strategic and International Studies.
"We protect a lot of big financial enterprises, and a lot of banks have been hit continuously in the past three weeks," Scott Hammack, CEO of Prolexic, told TechNewsWorld.
The complexity and size of the attacks has increased, and "in a single day last week we had a 75-GB attack against one bank and a 45-GB attack against another," Hammack continued.
U.S. Department of Homeland Security Secretary Janet Napolitano presciently warned last year about massive DDoS attacks against the U.S. banking system.
Speculation on the DDoS Attacks
This is the second wave of DDoS attacks against U.S. banks; the first was launched in September.
There's speculation that the hackers are hijacking and using data centers to provide the power that underpins their attacks. Or, they could be creating their own clouds, possibly by remotely hijacking cloud services or creating large networks of individual machines.
Creating large networks of computers -- botnets -- is a tried-and-true tactic used by cybercriminals.
Researchers at Radware found that the DDoS traffic was coming from data centers around the world. Various cloud services and public Web hosting services had been infected with a malware package variously designated as itsoknoproblembro or Brobot, the researchers found.
Brobot is a PHP-based tool, Arbor Networks said.
Prince of Persia?
"What leads us to believe that there is a government or governments behind this is the scale of the operation," Hammack said.
"The servers that are being used to launch the attacks used to employ polling technology -- they'd sit there and, on a certain time delay, they'd look up the instructions they needed to launch an attack," Hammack continued. "Now, they're being commanded and controlled in real time. Somebody is sitting there and changing attack vectors in the sub-10-minute timeframe."
In the online world, 10 minutes is an eternity, but "when you're changing thousands of servers, it's pretty quick," Hammack stated.
Don't Ask, Don't Tell
"When you saw Sen. [Joe] Lieberman go in front of the press and say Iran is behind these attacks you can be pretty sure he knew something," Hammack said.
Lieberman, I-Conn., who chairs the Homeland Security and Governmental Affairs Committee, made the statement during a conversation with reporters on C-Span.
The U.S. government has not said anything in support of Lieberman's statement, but that's because "the government won't want to show its hand," Hammack contended. However, "there are ways of tracking the source of the attacks" and the U.S. government does track them.
The DHS did not respond to our request to comment for this story.
More on DDoS Attacks Against US Banks
The DDoS attacks began in September, and, so far, a group calling itself the "Izz ad-Din al-Qassam Cyber Fighters" has claimed responsibility. It has also threatened to continue attacking U.S. banks.
The itsoknoproblembro attack has at least 11 different attack signatures, Prolexic said. The attack vectors include POST, GET, Transmission Control Protocol and User Datagram Protocol floods with and without proxies. There's also a "Kamikaze" GET flood script that can relaunch automated attacks repeatedly.
In October, RSA announced the discovery of the Prinimalka-Gozi Trojan, which launched man-in-the-middle attacks against people who bank online. The people behind the attack were trying to put together an army of cybercriminals to launch a wave of coordinated DDoS attacks against U.S. banks, RSA said.
The Trojan basically creates a mirror image of PCs it has taken over, Oren Kedem, director of product marketing at Trusteer, told TechNewsWorld.
"Banks are prime targets because they're very high-profile," Hammack said. "I think the attackers are trying to embarrass and discredit the United States."