Analysis: Who's Really Behind DDoS?

Sorting Out the Source of Attacks Against Banks
Analysis: Who's Really Behind DDoS?

Now that Izz ad-Din al-Qassam Cyber Fighters has launched its fourth phase of distributed-denial-of-service attacks against U.S. banks, many observers are continuing to ask: Who's behind this group, and what are the real motives?

See Also: API vs. Proxy: Understanding How to Get the Best Protection from Your CASB

Is al-Qassam really an independent hacktivist group, as it claims? Does it have connections to a nation-state, such as Iran? Or does it have ties to organized crime? And is there a possibility that it has leased out its botnet to multiple groups?

In this analysis, Information Security Media Group weighs the evidence.

al-Qassam has been waging DDoS attacks against leading U.S. banking institutions and a handful of smaller ones since last September. The attacks, designed to disrupt online banking service, have, so far, proven to be more of a nuisance than a malicious threat.

But the launch of this new phase, which was announced July 23, raises new questions about just who is behind Izz ad-Din al-Qassam (see DDoS: Phase 4 of Attacks Launched).

The Group's Message

Since the beginning, al-Qassam has positioned itself as a group of hacktivists - independent attackers who are waging online war against U.S. banking institutions to make a social statement. The group claims the catalyst for the attacks is a movie trailer on YouTube that it deems offensive to Muslims. And because YouTube has not removed links to this trailer, as al-Qassam has asked, al-Qassam is focusing its attack energies on America's core - it's financial foundation.

In an Oct. 23 post on the open forum Pastebin, al-Qassam restated its purpose, and noted that the attacks are not being waged to perpetrate fraud.

"We have already stressed that the attacks launch only to prevent banking services temporarily throughout the day and there is no stealing or handling of money in our agenda," the group states. "So if others have done such actions, we don't assume any responsibility for it. Every day we are giving a compulsive break to all employees of one of the banks and its customers."

The post also takes issue with statements made in October by U.S. Defense Secretary Leon Panetta, who during a speech about cybersecurity noted that industries touching critical infrastructure were at risk.

"Mr. Panetta has noted in his remarks to the potential cyberthreats such as attacking on power and water infrastructures, running off trains from the tracks and etc.," the post states. "In our opinion, Panetta's remarks are for distracting the public opinion and in support of the owners of the banks' capital. ... This is capitalism's usual trick."

Then, in November, an alleged member of al-Qassam told ABC News that its attacks were not backed by anyone, nor were they connected to the August 2012 attack on Aramco, a Saudi oil firm, which involved the deletion of data from tens of thousands of computers.

"No government or organization is supporting us, and we do not wait for any support as well," the self-proclaimed al-Qassam member wrote in an e-mail, ABC News reported. "Do you think that the massive protests in the world are done with support? [In] the same manner [that] millions of Muslims in the world protested, hackers are also part of this protest" (see Hacktivist Speaks Out About DDoS).

But many experts have questioned the protest motive and have expressed doubt that al-Qassam is what it says it is.

Experts' Views

Financial fraud analyst Avivah Litan has repeatedly argued these attacks are actually being backed by a nation-state, namely Iran, not independent hacktivists.

Others, such as Bill Wansley of the consultancy Booz Allen Hamilton, have shared similar opinions.

"There are indications that it's an Iranian group," Wansley told BankInfoSecurity in late September 2012. "There are a lot of indicators it's from that region of the world. But these hacktivist groups, frankly, can operate from a number of different locations and give the impression of being from one time zone when they're really not. So it's not conclusive. But there certainly have been some indicators, such as the use of Arabic names, Iranian names and the time zone [and the time of day when the first attacks struck] that would indicate something from that part of the world."

An unnamed source within the U.S. government quoted in the New York Times in May suggested Iran is backing attacks against the U.S. in retaliation for economic sanctions the U.S. has imposed on Iran.

Many security experts, however, have been reluctant to attribute these attacks to any one type of actor. That's because any attribution could only be based on circumstantial evidence in the online world, says Alan Brill, cybercrime investigator and senior managing director at investigations and risk-consulting firm Kroll.

"You can't accept crowd opinion for verified fact," he says. "I think it's still very difficult to attribute things like this, simply because the Internet was never designed to make that easy."

Although Brill admits he has not carefully reviewed the evidence linked to these attacks, he says attributing these types of attacks is challenged by attackers' abilities to mask their points of origination with throw-away IP addresses and anonymous networks.

"Unlike other forms of evidence, such as a fingerprint at a crime scene, which does not change, this stuff is just so fluid," he says. "It's very difficult to put all of the pieces together. And in the case of state actors, you're not going to get a lot beyond circumstantial evidence."

Reviewing Patterns

But what can the industry glean from the most recent attacks? Many experts say the more they learn about al-Qassam, the more confused they are. The group's Pastebin announcements, attack schedules and breaks between attack campaigns have been inconsistent.

Just as soon as the industry thinks it's outlined a pattern, the pattern changes, as shown again in this fourth wave of attacks.

Here, Information Security Media Group spells out some important factors.

Are They Really Hacktivists?

Support for the notion that al-Qassam is a hacktivist group stems from the fact that it claims itself to be one - and so far, no financial fraud or other type of data compromise has been linked to an al-Qassam attack.

Banking regulators have warned of the potential for DDoS to be used as a mode of distraction for fraud to be perpetrated in the background (see Regulator Warns of DDoS, Fraud Link).

But so far, no account compromises have been associated with al-Qassam attacks.

The group claims it's waging its attacks for social reasons - outrage over a YouTube video deemed offensive to Muslims.

That purpose would suggest this is just a group of hacktivists out for attention.

Is a Nation-State Involved?

But none of the industry experts interviewed for this analysis believes that is truly the motive.

Hacktivists typically want attention. "There's usually some bragging about what was accomplished," Wansley said last year. "That's the typical pattern of some of the hacktivist groups."

While al-Qassam bragged on Pastebin in the early weeks of its attacks, the bragging has waned over time.

Hacktivists also often name their targets in advance. Al-Qassam did this early on, but as the attacks became less effective, that stopped.

During the second and third campaigns, al-Qassam took credit after the attacks. Now, most of that post-attack bragging has stopped as well.

And experts note that these DDoS strikes have been hitting U.S. banking institutions for nearly a year; a hacktivist group would need substantial funding to run an attack campaign that long.

That's why many believe al-Qassam is actually a front for a nation-state, a criminal network - or even a mix of both.

"In this case, there's a group that has an Arabic name that has never been associated with cyber-activity at all," Wansley noted. "[The name has] been associated with Hamas. And for them to, all of the sudden, become a hacktivist group is just really interesting. We've never seen that before. That doesn't mean they're not doing it, but it could also mean they're being used as a cover for some other country or organization to do something."

The timing of this fourth phase further supports the notion that al-Qassam is actually a nation-state actor, Gartner's Litan contends.

The Iranian presidential election, as well as elections for regional posts, occurred June 14. Litan says the attacks were expected to lapse during the election, assuming that the Iranian government is actually funding the attacks.

"We all knew they'd be back after the election," she says. "Really, this is just business as expected."

Based on information she's gathered from law enforcement and some of the attacked banks, Litan concludes: "We know it's Iran because the attacks have been traced back to them, through the files, through the servers."

Is There a Criminal Connection?

But could there be a criminal element involved? Many experts say a connection to organized crime is possible, because the attackers waging these long-term, extensive DDoS strikes are likely getting funding from a nefarious source.

But are there clues al-Qassam is waging its attacks for a criminal purpose?

Brobot, al-Qassam's botnet, keeps growing, experts say. While the attacks waged by Brobot have been unsuccessful at causing any significant online outages during the third and fourth phases, al-Qassam has continued to increase the botnet's size.

Why? Some argue the purpose is to rent out Brobot for a profit - perhaps to cybercrime rings. And attacks linked to Brobot this campaign may support the notion that Brobot is now being used by more than just al-Qassam.

During the afternoon hours of July 30, Brobot was used to attack merchant sites, seemingly as a coding test for the attacks that kicked off July 31, says Mike Smith of the cybersecurity firm Akamai, which has been tracking and mitigating DDoS activity linked to al-Qassam. The only commonality among the July 30 targets: They all have the word "Da Vinci" in their website URLs, Smith and others confirmed.

"There was no connection to banking at all," Smith says.


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network