RSA Conference 2013

Izz ad-Din al-Qassam Cyber Fighters has launched a new wave of distributed-denial-of-service attacks against U.S. banks and credit unions, and experts say institutions can expect more incidents in the coming days.

Just after 10 a.m. ET on Feb. 25, the opening day of RSA Conference 2013, a handful of U.S. banking institutions were reportedly targeted as part of the latest attacks.

The hacktivists confirmed the attacks in a Feb. 26 post on the open forum Pastebin, claiming strikes against Bank of America, PNC Financial Services Group, Capital One, Zions Bank, Fifth Third, Union Bank, Comerica Bank, RBS Citizens Financial Group Inc. [dba Citizens Bank], People's United Bank, University Federal Credit Union, Patelco Credit Union and others.

"This is the last al-qassam's ultimatum to U.S. government, and, we announce that if the insulting films are not removed in the following days the Operation Ababil will be started again next week, March 5, 2013," the group states in its most recent post. "On this basis and to warn and to show our seriousness for this, an attack string was carried out against some U.S. banks on Monday, February 25, 2013."

In its postings over recent months, the hacktivist group has said its attacks have been waged in protest over a YouTube video deemed offensive to Muslims.

Several sources on Feb. 25 told BankInfoSecurity that previously targeted institutions had been hit again. And despite the out-of-character Monday strike - all of Izz ad-Din al-Qassam Cyber Fighters' previous DDoS attacks were initiated on Tuesdays - the characteristics of the attack suggested the same group is behind this newest wave.

Rodney Joffe, a senior technologist for online security provider Neustar Inc., says online activity monitored by his company confirms that some of the largest U.S. banks were targeted on Monday, but he would not name any. He did, however, say the banks were among those that had been targeted last year.

"We started seeing activity on Friday, and it continued over the weekend," Joffe says. "That indicated an attack was being prepared, and it matched the kind of activity we had seen before."

The botnet's increased weekend activity, which included signs of expansion and evolution, coupled with the Izz ad-Din al-Qassam Cyber Fighters' Feb. 19 notice on Pastebin, did give some forewarning, Joffe says. But that the attacks started on Monday and were not previously announced also offered an element of surprise, he adds.

NASDAQ, too, took a DDoS hit Feb. 25, Joffe says, but he would not elaborate about why NASDAQ was attacked on the same day as the banks.

New Wave

In addition to the institutions named by hacktivists in their Feb. 26 post, one executive with a previously targeted institution, who asked to remain unnamed, says Wells Fargo, Citibank, Umpqua Bank, Bank of the West and First Citizens also were among the targeted.

Another expert says the sites that were hit suffered intermittent outages, but it does not appear that any of the strikes caused significant disruptions.

Among those suspected targets, only UMB confirmed a DDoS strike.

"UMB experienced a brief DDoS outage today," bank spokeswoman Kelli Christman said Feb. 25. "During that time, no customer information or data was compromised or accessed and our transactional systems were unaffected. As always, our customers' privacy and security are of the utmost importance and we will continue to monitor the situation to ensure minimal disruption."

Dan Holden, director of the security engineering research team for DDoS-prevention provider Arbor Networks, says multiple institutions were targeted during the Monday attacks, and all of the targets had been previously affected. "I can't say which ones have been hit," he says. "But the botnet seems to be different, in that the attackers have made updates to the toolset." That suggests that the botnet and the attackers using it are being funded and supported by external sources, Holden says.

"Probably the biggest part of this is the fact that they've updated the tools and they have been growing the botnet," Holden says. "That kind of maintenance costs time and energy, and that essentially comes down to money. And for something to go on this long and continue to be updated, that takes a lot of energy and focus by someone, that's for sure."

Hacktivists' History

You might also be interested in...

Security: Going Beyond Compliance

Tipton of (ISC)² Says Technology Can Only Go So Far

Breaches: Avoiding 'Victim's Fatigue'

Kevin Mandia Warns Against Letting Guard Down

Preview: RSA Conference 2014

New Tracks Include Analytics and Forensics, Security Strategy

Exclusive Events

• Information Security as a Competitive Advantage

• Anatomy of a Data Breach: What You Say (or Don't Say) Can Hurt You

• Healthcare Information Security: The 2014 Agenda

• Cyber-Attacks: How to Reduce Your Risks

RSA Press Releases

Arxan Technologies

Arxan Partners with HP to Provide Comprehensive Application Security Solution

Becrypt

Becrypt shows latest innovations in secure Virtual Desktop Infrastructure with tVolution at RSA 2013

Security Agenda