In this period we have seen Distributed Denial of Service (DDoS) attacks carried out against the retail banking sector in both the United States and the Netherlands, leading to the disruption of online banking services in both countries. DDoS attacks involve flooding websites with a greater amount of data then they are able to process, reducing the availability of the affected site. The US financial institutions targeted over this period include the Bank of America, Capital One, PNC Bank, TD Bank, Keybank, Citibank, Union Bank, Wells Fargo and Amex; in Holland, initial reports indicate that the websites of the ING, Rabo and SNS banks were targeted, along with the iDEAL payment system..
The attacks against the US banking sector have been claimed by an Islamic self-proclaimed “hacktivist” group, the Izz ad-Din al-Qassam Cyber Fighters. They began in September 2012, and the group has claimed that the campaign is a response to “The Innocence of Muslims” film released at that time, which they consider offensive to Islam. There are however several notable differences between this campaign and other on-line actions carried out by more general hacktivist groups, which we consider may suggest the involvement of a state sponsor, most likely to be Iran. Central amongst these are:
• Persistence. While there have been brief pauses in the campaign, the assault on the US banking sector has easily eclipsed other hacktivist actions in terms of duration and fixation on the same target set. Hacktivist campaigns are more usually characterised by their short duration, with hacktivists frequently shifting targets and issues.
• Technical sophistication. We note that the attackers are continuing to improve both the scale and strategy of their attacks, increasing the amount of data directed at banks’ websites and adopting surge tactics in an attempt to keep banks’ defences off balance. The attacks utilise compromised web servers, which have a far greater attack capacity than individual computers.
• Funding. We assess that both the persistence of the campaign and its technical evolution require a significant investment of funds. While hacktivists are almost uniformly unpaid for their efforts, the continued focus of the attackers strongly suggests that in addition to technical funding, they are also receiving some degree of financial support. Affected banks have also characterised the attacks as "technically sophisticated and well-resourced."
• Intent. While the confirmed attribution of cyber attacks is always problematic due to ease of deception and misdirection, insight may be gained from circumstantial evidence. This campaign is inherently disruptive, seeking to damage confidence in the US banking sector and the US economy, and notably no longer seems to bear any relation to the video – the source of alleged anger, and no longer a particularly current or resonant issue.
Of note is that Izz ad-Din al-Qassam was a prominent preacher and militant leader against colonial powers in the Levant (Syria, Lebanon and Palestine) during the period of occupation in the 1920s and 1930s. His name has been adopted by the military wing of Hamas, the Palestinian group, and the shorter-range rockets used by that group commonly bear his name. As Hamas is believed to receive direct support from Tehran as well as wider Arab countries, this can be seen as a “pan-Islamic” brand, rather than having clear links to Salafist/jihadist conventions - or other Muslim causes more clearly linked to outrage over the film.
So far the attacks have impacted the US banking sector in a number of ways, with the greatest of these being the disruption caused to customers, and a potential reduction in the confidence in the banking sector. Indeed, the issue is receiving increasing attention from mainstream media and is being addressed as a serious issue of concern by policy-makers. Any reduction in consumer confidence is however limited at this stage, with research suggesting that although website downtime has doubled from last year as a result of the attacks, online banking sites of the top 15 US banks have still been 98 percent available. At the present time the attack is not perceived to have had significant impact on other bank operations, or the functioning of ATMs.
Despite the seeming lack of success, we assess that attacks will almost certainly continue over the short to medium term. Whilst their sophistication and scale is expected to increase incrementally, we anticipate that banks’ defences will likely keep pace and that significant service disruptions will be unlikely. The costs involved in improving banks’ cyber defences is however a factor which is yet to be determined; while major banks have generally restricted their comments on the impact of the attacks, seven out of the top ten banks have noted unspecified losses in their annual reports filed with the Securities and Exchange Commission. This may be one of the key goals of the attackers.
At this stage we cannot clearly ascertain if the new wave of operations against banks in Holland is linked. However, taken together these incidents suggest that the targeting of a nation’s retail banking sector is increasingly being adopted by hostile cyber actors. This trend is therefore of significant for the financial sector in the UK, with a broader adoption of this tactic adding a further cyber threat vector to UK businesses.