Banks' Cyber Attackers Are Sponsored by Iran, Using Cloud Computing: Report

A string of cyberattacks that has bedeviled some of the nation's biggest banks appears to have a state sponsor who is taking the battle to the cloud.

The know-how required to mount the attacks, which have slowed the websites of at least six U.S. banks since December, has persuaded U.S. officials that the disruptions are the work of Iran, The New York Times reported Tuesday.

Though security experts have previously tied Iran to the onslaught, whoever is behind the attacks has showed an ability to shift tactics in ways that has left banks vulnerable, according to security experts. The experts also say that regardless of whether Iran is waging the attacks, cyber thieves from around the globe may be piggybacking on the onslaught to commit fraud.

In the attacks that some banks have endured since September, perpetrators have tapped protocols that render transactions secure via encryption, according to Carl Herberger, a vice president of security solutions at Radware, a security firm that has investigated the assaults on behalf of cloud computing providers and financial institutions.

The move has enabled attackers to hit banks with encryption requests that consume bandwidth, processing power and data storage in amounts that far exceed denial of service attacks on display in the past. Herberger points to one unnamed bank that had enough Internet capacity to handle 40 billion bytes of data that saw nearly twice as much traffic swamp its systems. "The multiplying of the flood is unbelievable," Herberger told American Banker. "Their servers, processors and offloading devices simply could not handle this problem."

According to Herberger, the encrypted torrent exploits a vulnerability that banks have been slow to mend. "It was a soft underbelly," Herberger said. "Commercial banking was a little behind on recognizing this challenge."

Experts also say the attackers have infected varied cloud computing facilities with a malicious program dubbed Itsoknoproblembro, which can mask the source of the volleys. Attackers have used the bot to commandeer armies of servers that can flood banks' websites with a digital tsunami. "You have an artillery piece instead of a pea shooter," Herberger said.

Herberger says the perpetrators have exploited the trend in which banks and other companies lease processing power and software from remote servers. The result is that banks and cloud computing facilities become intertwined electronically, which can complicate a bank's ability to simply block data from particular Internet addresses when the bank comes under cyberattack. "There's a lot of brilliance in how the ‘bro bot has been conceived and executed," Herberger said. Banks have "to figure out what is legitimate traffic versus illegitimate traffic."

The attacks also are forcing banks to be on the lookout for attackers who can exploit the distraction of a denial of service attack to wire funds out of customers' accounts. "Fraudsters also use [the attacks] to distract bank personnel and technical resources while they gain unauthorized remote access to a customer's account and commit fraud through Automated Clearing House (ACH) and wire transfers (account takeover)," the Office of the Comptroller of the Currency warned banks on Dec. 21.

Avivah Litan, vice president and distinguished analyst at Gartner Research, tells American Banker some banks have witnessed fraud in connection with hacktivist attacks. Where theft occurred, the denial of service attack "distracted the bank's security staff so that bad guys were able to get money out of sites that weren't under attack in some cases," Litan said. "If you're a big global bank, you have a lot of different domains."

According to Litan, more than one group may be involved in the incursions. She says she has heard from some sources that Iran is behind the attacks while others sources say the attacks have nothing to do with the Islamic Republic. Litan says it's also possible that other hackers from elsewhere in the world are taking advantage of a state sponsor's efforts to take money. "I've heard both sides to the story so I'm assuming there are multiple phenomena," Litan added.

On Thursday, Fifth Third Bank (FITB) became the latest bank to see its website hit by an attack. The Cincinnati, Ohio-based bank joins PNC Bank (PNC), U.S. Bank (USB), BB&T (BBT) and Citigroup (NYSE: C), which all have seen their websites besieged since December. On Dec. 10, hacktivists who call themselves the al Qassam Cyber Fighters Group, which has claimed responsibility for so-called denial of service attacks on at least twelve banks worldwide since September, vowed to reprise the assaults as part of a second phase of its operation.

The al Qassam group says it will continue its campaign so long as an American-made, anti-Muslim film remains posted on YouTube, which has said the video comports with the company's content guidelines. Though the group told American Banker in October that it operates without a state sponsor, U.S. intelligence officials have said since September that it fronts for Iran.

Defense Secretary Leon Panetta told a business group in October that the Islamic republic has "undertaken a concerted effort to use cyberspace to its advantage," although he stopped short of charging Iran with being behind the attacks on banks. For its part, Iran has denied the coordinating the attacks.

Whoever stands behind the al Qassam group, it promises more attacks on banks so long as the trailer remains on YouTube. "Cyber-attacks of al-Qassam C.F. in recent weeks showed that despite the high cost of U.S. banks to deal with these attacks, the attacks cannot go under control and are unstoppable," the group said in an email on Tuesday.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER