WASHINGTON (Reuters) - The series of cyber attacks that repeatedly knocked major U.S. banking websites offline in the past nine months has been more powerful than the general public realizes, government officials and security experts told the Reuters Cybersecurity Summit.
A self-described activist group, Cyber Fighters of Izz ad-din Al Qassam, has claimed credit for the distributed denial-of-service (DDoS) attacks that took down the websites of more than a dozen U.S. banks for hours or even days at a time. Members of congressional intelligence committees say the attacks are sponsored by Iran and show its growing capability in cyberspace.
U.S. banks, Internet service providers and security companies “have had trouble keeping up with the recent DDoS attacks that have had the sophistication and the level of resources that a nation-state entity like Iran can devote to them,” House Intelligence Committee Chairman Mike Rogers told Reuters.
“As a result, many key parts of our telecommunications and financial services infrastructure have been stressed to a dangerous level,” Rogers said.
In three waves of attacks since September, consumers have reported inability to conduct online transactions at more than a dozen banks, including Wells Fargo & Co (WFC.N), Citigroup Inc (C.N), JPMorgan Chase & Co (JPM.N) and Bank of America Corp (BAC.N). Banks have spent millions of dollars to fend off the hackers and restore service.
In DDoS attacks, thousands of computers all try to contact a target website at the same time, overwhelming it with meaningless connections until it is rendered inaccessible.
The banks have said little about their frantic efforts behind the scenes to restore websites, and industry groups have generally played down the impact and severity of the attacks.
But Rogers, U.S. Secretary of Homeland Security Janet Napolitano, and FBI Executive Assistant Director Richard McFeely told the summit this week that the progression of intense electronic assaults had spurred new efforts to coordinate among companies, sectors, and governments.
“The increasing frequency with which we have seen that has really increased our relationship with financial institutions,” Napolitano told the summit in Washington.
During past denial-of-service attacks, those companies would work closely with their customers and perhaps outside security contractors to help weed out malicious traffic while allowing real customers to connect.
But beginning last fall, as the DDoS attacks grew in volume and as hackers rapidly changed tactics, AT&T and Verizon began swapping techniques with each other as well.
As things stand, “the vast majority of our interaction during distributed denial of service attacks is directly with our customers,” said Edward Amoroso, AT&T’s chief security officer. “We also communicate with other Internet service providers serving those customers.”
The attacks were substantially larger than past denial-of-service campaigns that likewise relied on networks of computers infected by malicious software giving outsiders remote control of their web surfing and other functions. This time, the attackers used infected computer servers capable of delivering more traffic than ordinary personal computers.
More alarming was the rapid changes in website functions targeted by the machines, including the secure-communications protocols through which banks identify customers, according to George Kurtz, chief executive of security firm CrowdStrike.
“They used to change every few days, but then it was every hour, and then every few minutes,” Kurtz said.
“The financial services group are tired about getting punched in the face,” he said.
Officials said they were concerned that the attacks could be used as a cover for attempts at theft from bank accounts or to destroy critical data, but they had not seen evidence of that. They worry that the assailants are learning about the banks by monitoring their responses.
Though denial-of-service attacks by themselves do not destroy anything and have historically been seen as a nuisance, the sheer number of compromised computers available for rent to criminals and countries mean that enough firepower could be brought to bear to crash any Internet-facing site, experts said.
As a result, it is impossible to know how much defense is necessary and difficult to know how much is appropriate.
“It is a reality that nobody knows how much DDoS it takes before something starts to break,” National Security Agency Director Keith Alexander, also head of the U.S. Cyber Command, told the summit.
Reporting by Joseph Menn; Editing by Tiffany Wu and Tim Dobbyn