The DDoS attacks that are temporarily wiping US banks off the Internet are very different than anything we have seen before. Rather than being a temporary annoyance, they are likely the precursor for much bigger things.
Last years DDoS attacks emanated from so-called “hacktivist” groups like LulzSec and Anonymous. These attacks were primarily targeting bank home pages (http://www.yourbank.com) and used basic tools such as the Low Orbit Ion Cannon (LOIC). It was akin to attacking a heavily fortified building (bank infrastructure) with foot soldiers. The attacks mostly failed, and banks fortified themselves even further. For the hackivists, the outcome was much worse: LOIC identified the attackers’ IP addresses and landed many of them in trouble with law enforcement. The LulzSec leader, Sabu, was a FBI informant and handed over hacktivist leaders to the FBI on a plate. The attacks were a disaster.
This years attacks, at first, sounded like more of the same. Operation Ababil, led by the al-Qassam Cyber Fighters seemed doomed from the start. The tools to be used by Muslims outraged by the YouTube “Innocence of Muslims” video included some new ones, including the High Orbit Ion Cannon (HOIC) from Anonymous. The world prepared to yawn as this unknown hacktivist group threw digital stones at some of the world best fortified banks. Then something strange happened: David fired and Goliath went down. Hard.
Why are these attacks so effective?
Technology: The technology used in these attacks is mixed. Not only are footsoldiers being used (HOIC), but mercenary armies (multiple botnets) and heavy artillery too (compromised Joomla servers buried deep in data centers with access to huge data pipes). Instead of several hundred megabits of annoying traffic, they are generating up to a hundred gigabits of traffic, enough to knock very large sites off the Internet.
Targeting: The whole point of terrorism is to generate terror. A general state of unease and worry is not enough. These attackers brazenly publish details on pastebin of who they are going to attack, and when. Even now hundreds of bank sysadmins are clicking F5 on pastebin waiting for next weeks targeting blog to see if they are on the hit list. FS-ISAC and Federal Authorities’ are helping banks, but the attackers have a flawless record of victory to date. The banks being targeted are much broader in scope than before: the ‘too big to fail’ banks were all hit, now the regional banks are targeted, and the triggermen are going down the list of banks methodically.
Tactics: Rather than hitting just the home page, these attacks are targeting deep within the bank’s infrastructure. Key authentication and session management servers are being attacked. The attackers monitor bank countermeasures, then attack the new defenses. Banks have even switched service providers when attacked, but within minutes the attackers ‘take out’ the service providers at their weak points and cripple the banks again. The precision, adaptability and responsiveness of the attackers shows there are some talented snipers pulling the trigger.
Triggermen: We have no idea who is behind the attacks. Did the al-Qassam cyber fighters just pop up from nowhere in Iran? Are some brilliant cybercriminals pushing the buttons? Is there a nation state preparing for cyberwar with the US and learning our weak points and defensive tactics? Is there some misguided group within the US doing this to heighten cyber war tension or push through legislation? Right now we don’t know.
The only other time DDoS attacks were effective against banks was the “dirtjumper” attackers taking place this time last year. The dirtjumper attackers were ambitious cybercriminals who generally operated Zeus botnets. If they were able to steal money via wire or ACH from a bank, usually a million dollars or more, they paid the operators of the dirtjumper botnet to take the bank web servers down. This had two benefits and one major drawback for the fraudsters. One advantage was that bank antifraud detection methods were paralyzed as everyone was focused on getting the bank up and running. The other benefit was the victim was unable to login to the site and see their money was missing. The main downside was once the pattern was identified, banks learned that the moment they were hit with a DDoS attack, they had likely experienced a major fraud event and should freeze and review large money movements. Cybercriminals are piggy-backing on the current attacks just like looters after a natural disaster, but do not seem to be the prime movers.
The motivation behind the current attacks are twofold. First, to create terror that banks (even when fortified by their allies) can be taken offline with ease. Second, to study how banks will react when hit an attack, to determine what their next moves will be and to ensure they can be defeated.
This is also published at https://www.nsslabs.com/blog/ddos-attacks-merely-precursors-big-attacks