Cyber attacks on U.S. banks over the last several months reflect a frightening new era in cyber warfare, according to security expert Darren Hayes, who says that corporations are unprepared to battle such attacks because of a shortage of experts skilled in building effective defences.
Since September, U.S. banks have been battling, with mixed success, distributed denial of service (DDoS) attacks from a self-proclaimed hactivist group called Izz ad-Din al-Qassam Cyber Fighters. Despite its claims of being a grassroots operation, U.S. government officials and security experts say the group is a cover for Iran.
The skill of the attackers goes far beyond typical DDoS attacks conducted by hacktivist groups such as Anonymous. Instead of originating from networks of compromised PCs, bandwidth-clogging, bogus data streaming to banking sites are coming from hijacked Web servers in data centres.
These muscle systems have enabled the attackers to generate as much as 70 gigabits per second of traffic, enough to totter the sites of even the largest financial institutions.
Such state-sponsored attacks demonstrate that cyber warfare is here. “We’ve entered a new era and it’s pretty frightening in many ways,” said Darren Hayes, Computer Forensics Expert and Chairman of Pace University’s Computer Information Systems Programme. “What’s a little bit scary is the fact that we don’t have as many skilled professionals who are network forensics analysts or network security people as we should have.”
Traditional security technology, such as firewalls, intrusion prevention systems and antivirus software, are “simply meaningless” against the sophistication of state-sponsored attacks, Hayes said. Colleges and universities need to train more students in forensics and security, so that banks and other large corporations can build better defences, he said.
The ongoing attacks on U.S. banks have intermittently disrupted online operations, sometimes taking the sites down completely for short periods of time. Banks targeted by the attackers have included the Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC Financial, Capital One, JPMorgan Chase, SunTrust Banks, Fifth Third Bank, BB&T and HSBC.
“These attacks are representative of the longest persistent cyber attack on an industry sector in history — in fact, nearly every major commercial bank has been affected,” said Carl Herberger, Vice-President of Security Solutions, Radware.
Another security vendor, Incapsula, recently analysed DDoS attack code used by Izz ad-Din al-Qassam, coming from the Web server of a U.K. customer. The server received instructions from a command-and-control server that timed the attacks to occur for periods from seven minutes to an hour. The precise timing made the attacks more effective.
“The botnet [command and control] was commanding it to work in ‘shifts,’ maximising its efficiency and ordering it to renew the attack just as the target would start to recover,” Incapsula said in a blog post.
In a January 1 post on Pastebin, Izz ad-Din al-Qassam vowed to continue the bank attacks, which it calls Operation Ababil. On Tuesday, the group said the attacks would continue until YouTube removed an anti-Islamic video.
Despite the group’s demands, security experts and U.S. government officials believe the attacks are actually in retaliation for Western economic sanctions and for cyber attacks on Iranian computer systems. Over the last three years, three sophisticated viruses, Duqu, Flame and Stuxnet, have struck government systems.
However, some experts say that there is not enough evidence to place the blame on Iran, which has denied any involvement in the bank attacks.