The organization taking responsibility for the distributed denial of service attacks on banks over the past several weeks, Izz ad-Din al-Qassam Cyber Fighters Group, is apparently taking a week off, ostensibly to celebrate the Muslim holiday Eid al-Adha. But new information has emerged about the group's motives and mode of operation that suggest this truly is a cyber war that is just beginning.
The group's true reason for stopping its attacks, according to industry experts, is not religion but fear of being caught. Investigators have found some of the machines being used to mastermind these attacks and were trying to locate the people involved. The perpetrators conducting the attacks, many of them English-speaking subcontractors (according to intercepted emails), shut their activities down to avoid being found and arrested.
Investigators have linked the recent attacks on ten banks (including Bank of America, Wells Fargo and PNC) with similar distributed denial of service incidents against the Israeli stock exchange and El Al Airline in January; the same code was used in both attacks. This suggests that the group is not motivated by outrage against the YouTube video "Innocence of Muslims" that was posted to YouTube in September, as they have claimed on their Pastebin blog all along. Their motive for the ongoing crimes that started almost a year ago may be retaliation for U.S. malware attacks against Iranian nuclear facilities in 2010.
"In January, we went from cybercrime to real cyberwar," says Avivah Litan, vice president and distinguished analyst at Gartner.
Another chilling fact investigators have uncovered is around the powerful nature of these attacks.
In a typical distributed denial of service attack, malware is used to engage innocent users' computers in a botnet that launches a stream of repeated requests to a web server (such as one hosting an online banking site) that cripples the targeted server. The user never knows his computer is taking part in an attack. Some estimates suggest that 15% of all PCs are unwitting participants in botnets.
In the current round of DDOS attacks, the perpetrators are harnessing high-test corporate servers with high-speed connectivity - 3,000 of them. This botnet farm is capable of aiming 100 gigabytes per second of malicious traffic at its targets. This volume is too much for a typical network to handle. These servers can't all be shut down at once for logistical reasons. Some of the servers are mission-critical to their businesses and shutting them down would be disruptive. So in addition to defending their networks and web servers from DDOS traffic, banks have to make sure servers throughout their organizations don't get entrapped in the botnets themselves.
"The banks are in a state of panic, they're on hyper-alert," Litan says. "Especially the big ones that haven't gotten attacked yet. They're just waiting for the shoe to drop."
Most banks are constantly looking at intrusion prevention systems, DDOS mitigation software and threat intelligence software and services. Banks are also working with their internet service providers on ways to identify and thwart the attacks. One bank that survived an attack relatively well used distributed web servers, so that the attack was also distributed and had less impact.
Experts say it's likely the attacks on banks will resume next week. "I don't think they're going to stop until they get caught," Litan says.
Some theorize that the DDOS attacks will escalate into financial fraud and data theft, which the Izz ad-Din al-Qassam Cyber Fighters Group has insisted it has not conducted so far.