DDoS Attacks Spread Beyond BankingU.S. Electric Utility Suffers Outage as Bank Strikes Continue
As distributed-denial-of-service attacks on banks continue, a U.S. electric utility also reportedly is a DDoS victim.
On March 7, DDoS protection provider Prolexic announced it had worked with an unidentified metropolitan utility company to mitigate an attack that in mid-February hit the company's website, as well as its online payment and automated pay-by-phone billing systems. The attack took those online platforms offline for two days, Prolexic stated.
There is no evidence to tie this attack to the same hacktivist group, Izz ad-Din al-Qassam Cyber Fighters, that is now in the third phase of its assault on U.S. banking institutions. But the incident does raise concerns that attackers are now focusing on other elements of the U.S. critical infrastructure.
"Utilities are another vertical market that is likely to be victimized in the coming months as attackers look beyond daily targets like e-commerce and financial services," says Stuart Scholly, president at Prolexic, in a statement. "Attackers are targeting network infrastructures to cause collateral damage to other shared resources, so organizations must think about their different areas of vulnerability beyond website URLs."
The DDoS attack was identified by Prolexic as originating within the U.S. and was difficult for the utility company's IT department to detect. Mitigating the attack posed challenges, too, Prolexic notes, because it directly targeted the utility's back-end IP addresses of the Internet-facing network.
During 48-hour attack, the utility's 1 million customers were not able to pay bills online or by phone, and employees were unable to receive external e-mails, Prolexic says.
DDoS experts say the attack that hit this utility company was not as large as some recent attacks on U.S. banking institutions. But some of the attack patterns are familiar, says Carl Herberger of anti-DDoS solutions provider Radware.
"The attacks are similar, but they are likely being waged by different actors for different reasons," he says. "The attack could have been waged by a hacktivist group or by people who could not pay their bills. It's very difficult to ascribe some ownership to these attacks."
Beyond this incident, Herberger says other unidentified utilities have been targeted in recent weeks. "This is not isolated," he says. "There have been attacks on power companies here and in other parts of the world, too."
Other Industries Ill-Prepared
The utility attack heightens concerns that industries outside of banking are not as well-prepared as banks have been to detect and deflect DDoS incidents.
"[The utility's resources] were under duress," Herberger says. "The U.S. banking infrastructure is under attack, and has been, yet other industries are not so prepared."
Marty Meyer, president of DDoS-prevention provider Corero Network Security, says the utility attack was 10 times smaller, in gigabytes, than the latest wave of attacks hitting U.S. banks. "But just like we've seen the bank attacks progress, we can probably expect the same thing in attacks against other industries," he says.
At first, many observers said the bank attacks were just annoyances, Meyer says. "But now we've seen the attacks evolve to what we saw with the Bank of the West, where funds were actually transferred out," he adds. "If things like this evolve from annoying to actual attacks waged in combination with zero-day and server-targeted exploits, which are increasingly targeting cloud-based applications to get inside the network, then we could have some serious problems."
Meyer's greater worry: Attacks on industrial control systems. "This is why it's good for any industry to pay attention here to what the banks are facing," he says. "This attack on this utility could be an early warning shot and could be a signal that attacks against other industries will evolve like they did against banks."
Phase 3 Bank Attacks
Meanwhile, hacktivists' phase 3 DDoS attacks against banks have entered their third week, and experts say the hits are increasing in magnitude, volume and sophistication.
Although no banking institution confirmed any abnormal strikes or traffic patterns in the past week, Izz ad-Din al-Qassam Cyber Fighters on March 12 announced on the open forum Pastebin that last week it targeted nine institutions - Bank of America, BB&T, Capital One, Citibank, Fifth Third Bancorp, JPMorgan Chase & Co., PNC Financial Services Group, Union Bank and U.S. Bancorp.
DDoS experts from companies such as Akamai Technologies, Corero and Arbor Networks, which have been continually monitoring traffic affecting leading U.S. banks, say the attack patterns have remained consistent since Feb. 25. And a financial executive, who asked not to be named, said attack traffic volumes last week against one institution reportedly totaled 122 gigabytes - the highest so far to hit a single bank. As a point of reference, Prolexic states the attack against the electric utility peaked at 3.3 gigabytes.
The financial executive also notes that the latest attacks revealed new patterns and sophistication. Brobot, the botnet behind the hacktivists' strikes, hit nearly 10,000 servers on March 7, the banking executive tells BankInfoSecurity. Internet-protocol-address blocking proved less effective last week as well. Hacktivists have spliced the botnet so that attacks appear to be coming from multiple IPs, rather than one or two, the executive says.
But banking institutions continue to make enhancements and share information to deflect these strikes. So far, online outages linked to DDoS have dropped significantly since the first wave of attacks that hit in September and October, say experts such as Dan Holden, the director of ASERT for Arbor Networks, a DDoS solutions provider.
"The finance vertical is one that has the most security," Holden said during an interview at RSA Conference 2013. "The fact that the attackers are going after a well-secured vertical is quite scary, because if they went after another vertical, it could be far worse."
Whether hacktivists are just testing their DDoS skills against an industry best equipped to defend itself is a worry, Holden says. If attackers figure out how to knock U.S. banks offline, they will know they've perfected their attacks to a level that can take anyone down, he adds.
"It's a scary prospect," Holden says. "Honestly, they've laid the roadmap for how others [attackers] can do it."