It's tempting to dismiss the hacktivist group Anonymous' latest threats of cyberattacks against banks. They are just a bunch of young anarchists, some say. These denial of service attacks are just a nuisance, say others.
There is some truth to such thinking. For the most part, distributed denial of service attacks — waves of malicious traffic sent to a website in an effort to take it down — are just annoying. The group is disorganized and contradicts itself in its public messages.
And yet, there is potential for this attack to inflict some damage. There are signs that Anonymous is getting more capable. Late last year the group brought down 400,000 servers in Turkey. This week it shut down the Bank of Greece's website for a brief period on Tuesday and the Bank of Mexico's site on Thursday. And the costs of DDoS attacks are high: A study conducted by the Ponemon Institute and Akamai Technologies found the average cost of DDoS attacks on companies was $1.5 million a year.
Anonymous, sometimes described as a loosely organized "Internet gathering," first began launching DDoS attacks in 2008 against the Church of Scientology. In 2010 it launched Operation Payback, which initially targeted companies and organizations, like the Motion Picture Association of America, that were trying to enforce copyrights.
The group first came onto the financial industry's radar in 2010, when as part of Operation Payback, Anonymous began targeting companies that criticized or refused to accept payments on behalf of WikiLeaks after that organization leaked classified government records — these included PayPal, MasterCard and Bank of America. Thirteen Anonymous members, all Americans and most in their 20s, were criminally charged for that attack in 2013.
In December 2015, Anonymous took responsibility for a very successful, persistent denial of service attack on servers in Turkey, in protest of the country's support of groups related to ISIS. The attack peaked at more than 200Gbps. As a result, all traffic to Turkey was cut off in an attempt to mitigate the attack, leaving more than 400,000 websites offline.
"They were threatening ISIS itself at one point," noted Avivah Litan, vice president at the research and analysis firm Gartner. "I liked them a lot more after that."
This year, Anonymous first started its current attack on the financial industry, Operation Icarus, in February. The motive: to punish the financial system for a broad range of actions, including high fees and interest rates, foreclosures and bailouts.
That first wave did not have much impact. "It was a small campaign, and they were not well organized," said Daniel Smith, security researcher at Radware and a former member of Anonymous. "They were recommending very basic tools."
This week, the group, which now has an estimated 1.2 million members, launched a second wave of Operation Icarus in which it hit the Bank of Greece and the Bank of Mexico and claims it will be targeting financial organizations around the globe over the next 30 days. In this round, they are far more organized, Smith said, with more attackers and more sophisticated tools. The DDoS weapons they are using including TorsHammer, SlowLoris, PyLoris, TorStress, Slowhttptest, Xerxes and Ufonet — all open source tools that can be found on GitHub or Pastebin.
Confusingly, Anonymous has announced different sets of targets on its YouTube pages (PayPal, MasterCard, Visa, the New York Stock Exchange, Nasdaq, the Bank for International Settlements, all central banks, the International Monetary Fund, the London Stock Exchange) and the "master list" of targets it posted on Pastebin (including the websites of the Federal Reserve and nine of its 12 regional banks; the World Bank; and the central banks of countries including the United Kingdom, Albania, Aruba, Malta, Canada, France, Greece, Japan and Italy).
"It's not a well-organized group," Litan said. "They really are an anarchic, chaotic group of young kids. But that doesn't mean they can't do a lot of damage if they're getting more resources. If you've got a motive and an actor, you just need money."
Assessing the Threat
Some in the industry, like Russell Stern, the chief executive of SolarFlare, a provider of servers and software he says are used in 98% of exchanges and trading firms, play down the seriousness of Anonymous' threat. He pointed out that while Anonymous said it wants to bring down exchanges like the NYSE and Nasdaq, it cannot.
"None of the exchange infrastructure within exchanges I know about has Web-facing technology," he said. "Everybody's got a website, but the trading environments are not connected to it."
The threat "is more of a scare — we're going to attack exchanges — as if that's somehow easy to do and all you do is just hook up some passwords and you're into the NYSE," he said. "It doesn't work like that."
Anonymous has not been as effective at its DDoS attacks on banks as the Iranian group Al Qassam Cyber Fighters, which took down several banks' websites for many hours in the fall of 2012.
"Anonymous has just been an annoyance factor," Litan said. "It's day and night between them and the Iranian attacks."
But she does not dismiss the latest threat. "Not everybody's that prepared, and you still don't want these guys on your website. And they may be able to get better code."
The technology that would enable the group to launch high-bandwidth attacks that could cripple banks' Web servers is readily available, Litan noted. "For Anonymous, it's just a matter of having the money to buy it," she said. "If they get enough sympathizers and start getting more organized at raising money, we need to take them seriously. They have brand recognition and name recognition."
State of Defense
Many companies mentioned in Anonymous' target lists, including Visa, MasterCard and PayPal, are well equipped to deal with large-scale DDoS attacks, because of their past experiences with Iranian and Anonymous attackers.
Generally, banks have gotten better at DDoS mitigation since 2013. "They know this is still a prevalent and growing threat," said Ben Desjardins, director of security solutions at Radware, a DDoS protection service provider. In a recent survey, 87% of financial services respondents said they got hit with at least one DDoS attack last year and expect more this year.
Some listed targets, like the World Bank and the Bank of Albania, and smaller banks that could get caught up in this initiative, may be more vulnerable, especially to an attack the size of the one launched in Turkey.
"Most sites are not prepared for 40Gbps attacks," Litan said. "They may be prepared for 10 or 11."
For banks that are not on Anonymous' target lists, the risk of a DDoS attack is low, but they still need to be prepared.
"Every bank needs to have a contingency plan today, whether Anonymous is active or not, because of what's happened in the past," she said. "If you're not prepared because you're asleep at the wheel," banks could suffer damage. "It's a piece of your security arsenal that you need to have ready."
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.