Since Sept. 19, the websites of Bank of America (BAC, Fortune 500), JPMorgan Chase (JPM, Fortune 500), Wells Fargo (WFC, Fortune 500), U.S. Bank (USB, Fortune 500) and PNC Bank have all suffered day-long slowdowns and been sporadically unreachable for many customers. The attackers, who took aim at Bank of America first, went after their targets in sequence. Thursday’s victim, PNC’s website, was inaccessible at the time this article was published.
Security experts say the outages stem from one of the biggest cyberattacks they’ve ever seen. These “denial of service” attacks — huge amounts of traffic directed at a website to make it crash — were the largest ever recorded by a wide margin, according to two researchers.
Banks get hit by cyberattackers all the time and typically have some of the best defenses against them. This time, they were outgunned.
“The volume of traffic sent to these sites is frankly unprecedented,” said Dmitri Alperovitch, co-founder of CrowdStrike, a security firm that has been investigating the attacks. “It’s 10 to 20 times the volume that we normally see, and twice the previous record for a denial of service attack.”
To carry out the cyberattacks, the attackers got hold of thousands of high-powered application servers and pointed them all at the targeted banks. That overwhelmed Bank of America and Chase’s Web servers on Sept. 19, Wells Fargo and U.S. Bank on Wednesday and PNC on Thursday. Fred Solomon, a spokesman for PNC, confirmed that a high volume of traffic on Thursday was affecting users’ ability to access the website, but he declined to go into more detail.
Denial of service attacks are an effective but unsophisticated tool that doesn’t involve any actual hacking. No data was stolen from the banks, and their transactional systems — like their ATM networks — remained unaffected. The aim of the attacks was simply to temporarily knock down the banks’ public-facing websites.
To get hold of all the servers necessary to launch such huge attacks, the organizers needed to plan for months, Alperovitch said. The servers had to be compromised and linked together into a network called a “botnet.”
That level of pre-planning is a deviation from the kinds of denial of service attacks launched at banks in the past by so-called “hacktivists.” Typically, hacktivists use home PCs infected with malware to amass their botnets. Attacks on this scale would be impossible to carry out with home PCs — users too frequently turn them off or disconnect them from the Internet.
The Islamist group Izz ad-Din al-Qassam Cyber Fighters publicly claimed responsibility for the attacks in what it called “Operation Ababil,” but researchers are divided about how seriously to take their claims. The group has launched attacks in the past, but those have been far less coordinated than the recent batch.
Sen. Joe Lieberman, an Independent from Connecticut, said in a C-SPAN interview on Wednesday that he believed the attacks were launched by Iran.
“I don’t believe these were just hackers who were skilled enough to cause disruption of the websites,” he said. “I think this was done by Iran … and I believe it was a response to the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions.”
A call requesting comment from the Department of Homeland Security’s cybersecurity office was not immediately returned.
A cybersecurity firm following the attacks also expressed doubt about the connections between the Cyber Fighters and the bank attacks. On social networks and chat forums, the group urged its followers to use a mobile “low orbit ion cannon” — a software tool typically used by Anonymous and other hacktivist groups to direct a massive flood of traffic at a targeted site.
That tool was not used in the attack, according to Ronen Kenig, director of security products at network security firm Radware.
“Supporters of this group didn’t join in the attack at all, or they joined in but didn’t use that tool,” said Kenig. “The attack used a botnet instead.” He doesn’t think the Cyber Fighters would have access to a botnet as advanced as the one used by the attackers.
But CrowdStrike’s Alperovitch said he is “quite confident” the perpetrator was the Izz ad-Din al-Qassam Cyber Fighters, since they announced each attack well before it was carried out, and the attack wasn’t that sophisticated — it just took significant planning. PNC was the last target on the lists the Cyber Fighters have circulated, but more attacks could still be coming.
Both researchers agree that the controversial anti-Muslim YouTube video was not the initial impetus for the attacks, as the Cyber Fighters claimed in messages recruiting volunteers to join in. Before the video was even released, the group claimed responsibility for similar attacks.
“The video is simply an excuse,” Alperovitch said. “It’s a red herring.”