Today begins week seven of the Izz ad-Din al Qassam Cyber Fighters Group's "Operation Ababil," in which they're targeting large U.S. banks with distributed denial of service attacks. But while banks have reason to be prepared for and concerned about further attacks, there's also reason to believe that the perpetrators can and will be caught, according to A. Bryan Sartin, director of the risk team at Verizon, who has been leading an investigation of these incidents. (The major network providers, such as Verizon, have an unparalleled ability to view network traffic and identify the sources and behavior of malicious attacks. They're being called upon by the government and banks to investigate and share their findings.)
"With most any investigation, there's a perception in the public, especially in the commercial space, that when cybercrimes happen, they don't lead to arrest and prosecution," he says. "But the truth is, they almost always do and we almost always know who's behind them. I would say that for almost 80% of electronic crimes we're able to say specifically who's behind them, what handles they use, what other crimes they've been engaged in and where they were exactly when the crime took place. The smart money would suggest that's the case here."
Sartin could not share specific findings of his group's investigation so far. He does believe the hacktivists will continue their protests, which allegedly are a response to an anti-Muslim video called "Innocence of Muslims" that was posted on YouTube in September.
"They openly stated in their threats that they were going to cease operations for several days last week and regroup and come back at us later," he says. "It stands to reason we'll see more of this."
The large-scale denial of service attacks, which have caused slowdowns and outages for the web servers of at least 10 major U.S. banks, are an example of Hacktivism 2.0, a new type of threat that is here to stay, Sartin says. "Instead of dealing with loosely affiliated groups of individuals like Anonymous, this seems to be a very different adversary with deeper resources than what we've seen in other hacktivist attacks. One could go so far as to say they're more organized. That being said, they're less concerned about prosecution" and covering their tracks, he says.
Although investigators aren't sharing details, they do know much about the Cyber Fighters' attacks. "DDOS attacks are noisy, obvious, blatant things, so it's easy to see where the attacks are coming from," Sartin says. "It's also easy for investigators to vector in on who's controlling those attacking systems."
Although some observers have theorized that the Cyber Fighters stopped their attacks last week because some of the machines they were using had been identified (the group's stated reason for taking a break was to celebrate the Muslim holiday Eid al-Adha), Sartin disagrees. "I would love to say that's the case, but I think it's extremely unlikely, especially when they said 'we're going to stop for a few days, enjoy the time off, we'll be back Monday.'"
What are the most logical next steps for the cyber crime ring?
"It could be all kinds of things — it could be data theft, it could be espionage," Sartin says.
One clue: this year, starting the first week in March, Verizon investigators began noticing that suddenly, about five out of six of cyber crimes were espionage attacks against national critical infrastructure. The current DDOS attacks and the critical infrastructure incidents could well merge into a single adversary, he says. And their objectives may be far-ranging than we realize.
"This version 2.0 hacktivist is a group with a clear affiliation and motivation that is more political, and this kind of an adversary could be tied to a number of the critical infrastructure issues we're seeing here, in Europe and in the Middle East and Asia," Sartin says.
Application of security basics such as strong passwords could help banks defend themselves from the ongoing threat. "One area where improvement is needed is incident detection — first understanding your threat landscape and then being set up to recognize and react to those threats. How people do that effectively comes down to cyber intelligence — getting it, processing it and applying what's relevant to your business. Unfortunately you don't see as many people in the financial sector, which has been hit so many times in the past with electronic crimes, participating in the exchange of cyber-related intelligence."