Izz ad-Din al-Qassam Cyber Fighters has launched a new wave of distributed-denial-of-service attacks against U.S. banks and credit unions, and experts say institutions can expect more incidents in the coming days.
Just after 10 a.m. ET on Feb. 25, the opening day of RSA Conference 2013, a handful of U.S. banking institutions were reportedly targeted as part of the latest attacks.
The hacktivists confirmed the attacks in a Feb. 26 post on the open forum Pastebin, claiming strikes against Bank of America, PNC Financial Services Group, Capital One, Zions Bank, Fifth Third, Union Bank, Comerica Bank, RBS Citizens Financial Group Inc. [dba Citizens Bank], People's United Bank, University Federal Credit Union, Patelco Credit Union and others.
"This is the last al-qassam's ultimatum to U.S. government, and, we announce that if the insulting films are not removed in the following days the Operation Ababil will be started again next week, March 5, 2013," the group states in its most recent post. "On this basis and to warn and to show our seriousness for this, an attack string was carried out against some U.S. banks on Monday, February 25, 2013."
In its postings over recent months, the hacktivist group has said its attacks have been waged in protest over a YouTube video deemed offensive to Muslims.
Several sources on Feb. 25 told BankInfoSecurity that previously targeted institutions had been hit again. And despite the out-of-character Monday strike - all of Izz ad-Din al-Qassam Cyber Fighters' previous DDoS attacks were initiated on Tuesdays - the characteristics of the attack suggested the same group is behind this newest wave.
Rodney Joffe, a senior technologist for online security provider Neustar Inc., says online activity monitored by his company confirms that some of the largest U.S. banks were targeted on Monday, but he would not name any. He did, however, say the banks were among those that had been targeted last year.
"We started seeing activity on Friday, and it continued over the weekend," Joffe says. "That indicated an attack was being prepared, and it matched the kind of activity we had seen before."
The botnet's increased weekend activity, which included signs of expansion and evolution, coupled with the Izz ad-Din al-Qassam Cyber Fighters' Feb. 19 notice on Pastebin, did give some forewarning, Joffe says. But that the attacks started on Monday and were not previously announced also offered an element of surprise, he adds.
NASDAQ, too, took a DDoS hit Feb. 25, Joffe says, but he would not elaborate about why NASDAQ was attacked on the same day as the banks.
In addition to the institutions named by hacktivists in their Feb. 26 post, one executive with a previously targeted institution, who asked to remain unnamed, says Wells Fargo, Citibank, Umpqua Bank, Bank of the West and First Citizens also were among the targeted.
Another expert says the sites that were hit suffered intermittent outages, but it does not appear that any of the strikes caused significant disruptions.
Among those suspected targets, only UMB confirmed a DDoS strike.
"UMB experienced a brief DDoS outage today," bank spokeswoman Kelli Christman said Feb. 25. "During that time, no customer information or data was compromised or accessed and our transactional systems were unaffected. As always, our customers' privacy and security are of the utmost importance and we will continue to monitor the situation to ensure minimal disruption."
Dan Holden, director of the security engineering research team for DDoS-prevention provider Arbor Networks, says multiple institutions were targeted during the Monday attacks, and all of the targets had been previously affected. "I can't say which ones have been hit," he says. "But the botnet seems to be different, in that the attackers have made updates to the toolset." That suggests that the botnet and the attackers using it are being funded and supported by external sources, Holden says.
"Probably the biggest part of this is the fact that they've updated the tools and they have been growing the botnet," Holden says. "That kind of maintenance costs time and energy, and that essentially comes down to money. And for something to go on this long and continue to be updated, that takes a lot of energy and focus by someone, that's for sure."
Izz ad-Din al-Qassam Cyber Fighters launched its first wave of attacks against leading institutions, such as Bank of America and JPMorgan Chase, in protest over the YouTube video.
But in late January, the attacks shifted, and smaller institutions were named among the hacktivists' targets. Shortly after those attacks, Izz ad-din al-Qassam Cyber Fighters said it planned to suspend its attacks.
In mid-February, the group announced that it expected to reinitiate its attacks against U.S. banks.
Two banking regulatory agencies, the National Credit Union Administration and the Office of the Comptroller for the Currency, have recently issued warnings about DDoS attacks being used as tools of distraction, telling institutions to view these attacks as serious threats. Experts and banking institutions, however, say no evidence has yet been found to suggest that the attacks waged by this hacktivist group have been connected to fraud.