Iran may be behind a massive and sustained campaign of cyber-attacks against numerous Western financial institutions, including Citigroup, Capital One and HSBC, we learned last week. The strikes exploit banks’ Web site encryption, which encode customers’ online transactions to keep them secure, but it also increases traffic volume.
Enough of this traffic causes a jam that can completely halt business on these Web sites. So attackers seize control of sprawling cloud computing networks, using them to inundate these Web sites with encrypted requests in order to deny service to their target’s customers, hence the name Distributed Denial of Service (DDoS) attacks.
“Even the well-defended Web sites of banking titans such as Wells Fargo, Bank of America and JP Morgan Chase have suffered connection problems under the weight of the recent onslaughts,” TechDailyNews Senior Editor Paul Wagenseil wrote last week. “Web sites can be cut off from the rest of the Internet, which for online banks adds up to a lot of lost business.”
Web sites for most midsize enterprises can handle about one gigabit per second, according to an expert in The New York Times last week. One victimized bank could handle 40 gbps, but some attacks were as strong as 70 gbps.
“The DDoS attacks against the bank sites are several orders of magnitude higher than the attacks led by the hacktivist movement Anonymous against PayPal, MasterCard and dozens of government sites over the past few years,” Wagenseil said. “The bank attacks … have often used a DDoS tool called ‘ItsOKNoProblemBro’ to hijack and launch attacks from other Web servers, greatly amplifying the bandwidth of the bogus requests.”
And ItsOKNoProblemBro-infected servers are “bRobots.” Get it?
But It’s Not O.K. — And There Is A Problem, Bro
If turning a Web site’s encryption against itself isn’t cruel enough, attackers use the same types of cloud computing networks that many businesses employ to help solve their Big Data storage problems. The New York Times characterized this as “transforming the online equivalent of a few yapping Chihuahuas into a pack of fire-breathing Godzillas.”
But the DDoS attacks don’t compromise anyone’s account or steal any money; they are extraordinarily difficult to trace; and they are far more sophisticated that what one would expect from a garden variety hacker. That has some experts thinking that Iran is sponsoring these attacks in retaliation for U.S.-led economic sanctions in the United Nations, and three U.S.-led cyber-attacks on Iran in as many years.
Some see this as a form of asymmetric warfare, off-the-battlefield combat typically engaged against an opponent with significantly greater military might. U.S. Defense Secretary Leon Panetta addressed the threat in October, shortly after these attacks surfaced.
“Potential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for actions that may try to harm America,” Panetta said. “For these kinds of scenarios, the department has developed the capability to conduct effective operations to counter threats to our national interests in cyberspace.”
On the Cold Warpath
The stakes are high, but Iran denies being behind the attacks. Hackers known as Izz ad-Din al-Qassam Cyber Fighters have claimed responsibility, citing an inflammatory online video. But the group is really a front for Iran, according to U.S. intelligence officials.
China, Russia and North Korea are also among the major perceived cyber-threats to the U.S. But not everyone is convinced that Iran is behind these DDoS attacks.
“ItsOKNoProblemBro is far from sophisticated malware,” Roel Schouwenberg, senior anti-virus researcher at Moscow-based Kaspersky Lab, recently toldTechDailyNews. “Going strictly by the publicly known technical details, I don’t see enough evidence to categorize this operation as something only a nation-state-sponsored actor could pull off.”
Still others see an impending Cold War-style showdown between the U.S. and Iran — with hapless Wall Street caught in the middle.
“The only thing that banks can do is prepare for the next campaign,” Alexander Tabb wrote for TABB Group on Monday. “Given the increasing importance web portals and distributed architectures play in today’s capital markets sector, institutions on both the buy side and sell side have to start thinking about how they intend to protect themselves against a 70 gbps DDoS attack.”
Financial institutions should run detection rules and an analysis tool, as well as update patches in content management systems, according to Michael E. Donner, senior vice president at Prolexic, a Hollywood, Fla.-based DDoS protection services provider. He shared tips for defending against ItsOKNoProblemBro with American Bankerearlier this month.
“[Banks] should make sure they are prepared for DDoS attacks of any type — not just ItsOKNoProblemBro — by creating a DDoS mitigation playbook,” said Donner. “Having an action plan in place goes a long way toward fighting off the attacks quickly and successfully.”