A string of cyberattacks that has bedeviled some of the nation's biggest banks appears to have a state sponsor who is taking the battle to the cloud.
The know-how required to mount the attacks, which have slowed the websites of at least six U.S. banks since December, has persuaded U.S. officials that the disruptions are the work of Iran, The New York Times reported Tuesday.
Though security experts have previously tied Iran to the onslaught, whoever is behind the attacks has showed an ability to shift tactics in ways that has left banks vulnerable, according to security experts. The experts also say that regardless of whether Iran is waging the attacks, cyber thieves from around the globe may be piggybacking on the onslaught to commit fraud.
In the attacks that some banks have endured since September, perpetrators have tapped protocols that render transactions secure via encryption, according to Carl Herberger, a vice president of security solutions at Radware, a security firm that has investigated the assaults on behalf of cloud computing providers and financial institutions.
The move has enabled attackers to hit banks with encryption requests that consume bandwidth, processing power and data storage in amounts that far exceed denial of service attacks on display in the past. Herberger points to one unnamed bank that had enough Internet capacity to handle 40 billion bytes of data that saw nearly twice as much traffic swamp its systems. "The multiplying of the flood is unbelievable," Herberger told American Banker. "Their servers, processors and offloading devices simply could not handle this problem."
According to Herberger, the encrypted torrent exploits a vulnerability that banks have been slow to mend. "It was a soft underbelly," Herberger said. "Commercial banking was a little behind on recognizing this challenge."
Experts also say the attackers have infected varied cloud computing facilities with a malicious program dubbed Itsoknoproblembro, which can mask the source of the volleys. Attackers have used the bot to commandeer armies of servers that can flood banks' websites with a digital tsunami. "You have an artillery piece instead of a pea shooter," Herberger said.
Herberger says the perpetrators have exploited the trend in which banks and other companies lease processing power and software from remote servers. The result is that banks and cloud computing facilities become intertwined electronically, which can complicate a bank's ability to simply block data from particular Internet addresses when the bank comes under cyberattack. "There's a lot of brilliance in how the ‘bro bot has been conceived and executed," Herberger said. Banks have "to figure out what is legitimate traffic versus illegitimate traffic."
The attacks also are forcing banks to be on the lookout for attackers who can exploit the distraction of a denial of service attack to wire funds out of customers' accounts. "Fraudsters also use [the attacks] to distract bank personnel and technical resources while they gain unauthorized remote access to a customer's account and commit fraud through Automated Clearing House (ACH) and wire transfers (account takeover)," the Office of the Comptroller of the Currency warned banks on Dec. 21.
Avivah Litan, vice president and distinguished analyst at Gartner Research, tells American Banker some banks have witnessed fraud in connection with hacktivist attacks. Where theft occurred, the denial of service attack "distracted the bank's security staff so that bad guys were able to get money out of sites that weren't under attack in some cases," Litan said. "If you're a big global bank, you have a lot of different domains."