It has been three weeks since Izz ad-Din al-Qassam Cyber Fighters declared "The break's over and it's now time to pay off," announcing Phase 4 of "Operation Ababil," the nearly year-long campaign of distributed-denial-of-service attacks on major U.S. banks (see DDoS: Attackers Announce Phase 4).
But it has been nearly two weeks since any DDoS activity could be attributed to this group. Which begs the question: Is Phase 4 over before it ever really began? DDoS experts offer varying theories about the recent inactivity.
"I believe that to a large extent, this particular set of attacks is over," says Rodney Joffe, senior technologist at DDoS-mitigation provider Neustar. "If attacks come back, I believe [they] will be a totally new initiative, perhaps by the same actors and perhaps using the same proxy."
Mike Smith, a security evangelist at cybersecurity firm Akamai, says it's hard to be certain why al-Qassam has been silent.
"There are lots of theories that I've heard, but they're just that: theories, conjectures and unproven ideas," he says. "Aside from two Wednesdays at the beginning of Phase 4, they haven't attacked anything."
Historically, DDoS attacks have begun on Tuesdays and ended on Thursdays, but that has not been the pattern Phase 4 has followed. And there are no obvious signs, experts say, that the botnet, known as Brobot, used in the attacks is being geared up for new strikes.
Growth of Brobot has slowed as well.
Phase 4 Attacks
In announcing the start of Phase 4, al-Qassam promised "different" attacks from those that struck nearly 50 U.S. banking institutions in the earlier rounds.
"Planing [sic] the new phase will be a bit different and you'll feel this in the coming days," the group posted July 23 on Pastebin. Yet, since then, DDoS attacks linked to Brobot have struck on just two occasions - July 24 and July 31.
On July 24, JPMorgan Chase and Regions Financial Corp. were targeted by Brobot, experts say. Keynote, an online and mobile cloud testing and traffic monitoring provider, confirmed that both sites experienced intermittent outages on that date that appeared to be DDoS-related. Online outages at Regions actually spanned two days, and electronic banking remained inaccessible throughout that attack window, according to Keynote (see DDoS is Back; 2 Banks Attacked).
Detecting online glitches associated with those attacks took some digging, however, says Aaron Rudger, Keynote's Web performance marketing manager. And while DDoS trackers said some attack evidence suggested a link to Brobot, none were willing to say for certain the attacks came from al-Qassam.
Then, on July 31, attack code linked to Brobot struck a handful of leading U.S. banks, but had no impact on the availability of customer-facing interfaces, such as access to online banking, experts say.
Theories About Attackers
Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham and chief technology officer and co-founder of online security firm Malcovery Security, says there are a few reasons why this phase has not been as aggressive as previous attacks.
"In the early stages, the majority of the bandwidth that they were using for the attacks was from U.S.-based servers," Warner says. "The idea is that if I'm attacking a U.S-.based server, and I want a high bandwidth attack, I'll want most of my attacking nodes to come from U.S.-based infrastructure."
But in this fourth phase, many of the attacking servers are based overseas, he says. "That actually provides a disadvantage to the attacker, in that the bandwidth that is being used is likely to be lower bandwidth and less responsive against American targets."
Also, if one accepts the prevailing theory that al-Qassam is a Muslim group attacking from Iran, then the timing of the break could be linked to the Islamic holiday, Ramadan, Warner says (see Analysis: Who's Really Behind DDoS?).
The group has repeatedly stated it's waging its attacks against U.S. banking institutions in protest of a Youtube movie trailer deemed offensive to Muslims.
"Eid Mubarak is the end of Ramadan, which actually happened on the end of Aug. 8, rolling into Aug. 9," he says. "It's very likely that some of the attackers felt it was inappropriate to be engaging in attack prior to that time. So, as we get into the current week, the first full week past Ramadan, it is likely that we're going to see more activity."
What to Expect Next
Banking institutions are not letting their guards down, despite al-Qassam's break.
Marty Meyer, president of Corero Network Security, another security firm specializing in DDoS-mitigation, says it's not just al-Qassam banks should be worried about. "QCF [Qassam Cyber Fighters] is just not attacking at this point because if they wanted to create disruption, they certainly could," he says. "While many banking institutions have hardened their network defenses against volumetric attacks, many are still vulnerable against application layer DDoS attack vectors."
al-Qassam may go away, Meyer adds. But DDoS strikes from other groups are continually growing and having an impact. One such example: a DDoS attack against RBS Citizens Financial Group, d.b.a., Citizens Bank, on Aug. 8. Meyer and another DDoS expert, who asked not to be named, say the bank's customer-facing online-banking platform took a hit, but not from Brobot.
Citizens Bank did not respond to Information Security Media Group's query about the alleged attack, but the bank did acknowledge DDoS activity in a note posted on its site Aug. 8.
"At the current time, online and mobile banking services are still experiencing intermittent interruptions due to a Distributed Denial of Service (DDoS) disruption," the post stated. "A DDoS disruption hinders customers from accessing websites by slowing sites down or disabling them. Customer accounts and personal information are not compromised."
Neustar's Joffe says criminal groups have learned lessons from al-Qassam and will likely use similar tools and techniques in DDoS attacks waged against banks and other critical infrastructure industries.
"This was a set of attacks that were launched by a specific set of adversaries toward a particular industry," he says. "[It was] a good educational experience for other malicious groups."
Joffe also believes if Brobot's attack activity does pick up in coming days or weeks, industries beyond banking will be targeted.
"If we see another round, we'll start to see disruptions that cause a little more fear in the U.S. public," he says. "We have heard about the compromise of water systems in small towns. I wouldn't be surprised if we really start to see attacks like that," as well as attacks waged against transportation.