Bank attackers more sophisticated than typical hacktivists, expert says
FireEye researcher says he still believes individual sympathizers involved
By Antone Gonsalves
September 28, 2012 — CSO — The Islamic hackers who said they were behind cyberattacks that disrupted the online operations of several U.S. banks this week had technical firepower that went beyond the typical hacktivist, said one security expert.
Experts debated the methods used in cyber-assaults on Wells Fargo, U.S. Bank and PNC Bank, each struck on separate days, were an expression of anger over YouTube video trailers denigrating the Prophet Muhammad.
The crude trailers promoted an amateurish film called the "Innocence of Muslims" and sparked violent protests in many Muslim countries.
[Related stories: 'Nothing new' in DDoS attacks | Islamic hacktivists' bank attack claims gain credibility | Wells Fargo recovers after site outage | Theories mount on bank attacks, but experts stress defense | Arab hackers attack Western websites over film | Best defense against cyberattacks is good offense, says former DHS official]
How the attackers conducted the assault is an indication whether they were hactivists protesting an insult on Islam or part of a much larger organization, such as a government unfriendly to the U.S.
Akamai, which helps companies optimize Internet connectivity, helped some of the banks fend off the attacks, which caused intermittent disruptions in online banking operations. Michael Smith, senior security evangelist at Akamai, said the banks' web servers were hit by as much as 65 gigabits of traffic per second, roughly as much as 60 times greater than the typical denial of service attack launched by hactivists.
"This isn't consistent with what hacktivists are capable of," Smith said.
Also, the attackers used a single toolkit in building the programs that sent mostly junk data over the Internet to the banks' servers, Smith said. Hactivists typically use multiple toolkits running programs spread across compromised computers and systems of sympathizers.
The attack traffic Akamai confronted was "fairly uniform," Smith said. "This does not happen with a hacktivist mob."
Atif Mushtaq, a security researcher for FireEye who monitored the attack traffic, has said he believes it was generated on hundreds of thousands of computers, many of which were likely owned by sympathizers of the attackers recruited through websites and social networks.
On Friday, he stuck by his people-powered theory, but agreed the attackers could have used a combination of servers and personal computers, some compromised and some belonging to sympathizers.
Smith said most of the traffic that Akamai diverted from unnamed bank clients came from virtual private web servers running booter shell scripts, which are small programs that in this case mostly sent junk data. In using servers, the hackers were able to use fewer systems to launch an attack, since each server has from 200 to 300 times more capacity than a personal computer, Smith said.
Smith would not speculate on who was behind the attacks. However, he said only a handful of groups had the sophistication to launch such an assault against large banks.
"There are the obvious suspects," he said. "The people who have done this previously would be organized crime, and it could be nation-state sponsored. I'm not willing to rule those out just yet, but I'm not willing to say its definitely one of those."
U.S. Sen. Joe Lieberman, chairman of the Senate Homeland Security committee, has blamed the Iranian Quds Force, a secretive military unit that has been accused of terrorist activity. The Iranian government has denied involvement in the bank attacks.
The latest attacks also follow on the heels of a Federal Bureau of Investigation (FBI) warning last week of cybercriminals using spam and phishing e-mail to spread malware and steal bank employee login credentials. Stolen user IDs and passwords were used to wire transfer as much as $900,000 from customer accounts.
Other security experts believe hacktivism was the more likely motive in the latest attacks, which started last week with denial of service assaults against Bank of America and JPMorgan Chase. The hackers, who called themselves Izz ad-Din al-Qassam Cyber Fighters, named the campaign "Operation Ababil."
Dancho Danchev, an independent security consultant, theorized in a blog post on Friday that the attackers' early Pastebin posts pre-announcing the attacks were to recruit Internet-connected sympathizers, who were later instructed where to download a program to participate in the attacks.
In examining the files, Danchev found that one of the attackers used the handle "Marzi Mahdavi II," which the consultant linked to a Facebook account used to recruit people from multiple Muslim-friendly groups on the social network. Danchev also found the recruitment campaign on multiple websites.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.