DDoS Attacks Spread Beyond Banking

U.S. Electric Utility Suffers Outage as Bank Strikes Continue

By Tracy Kitten, March 12, 2013.

Credit Eligible

• 
• 
• 
• 

As distributed-denial-of-service attacks on banks continue, a U.S. electric utility also reportedly is a DDoS victim.

See Also: I Found an APT: Now What? Operationalizing Advanced Threat and Breach Response

On March 7, DDoS protection provider Prolexic announced it had worked with an unidentified metropolitan utility company to mitigate an attack that in mid-February hit the company's website, as well as its online payment and automated pay-by-phone billing systems. The attack took those online platforms offline for two days, Prolexic stated.

There is no evidence to tie this attack to the same hacktivist group, Izz ad-Din al-Qassam Cyber Fighters, that is now in the third phase of its assault on U.S. banking institutions. But the incident does raise concerns that attackers are now focusing on other elements of the U.S. critical infrastructure.

"Utilities are another vertical market that is likely to be victimized in the coming months as attackers look beyond daily targets like e-commerce and financial services," says Stuart Scholly, president at Prolexic, in a statement. "Attackers are targeting network infrastructures to cause collateral damage to other shared resources, so organizations must think about their different areas of vulnerability beyond website URLs."

The DDoS attack was identified by Prolexic as originating within the U.S. and was difficult for the utility company's IT department to detect. Mitigating the attack posed challenges, too, Prolexic notes, because it directly targeted the utility's back-end IP addresses of the Internet-facing network.

During 48-hour attack, the utility's 1 million customers were not able to pay bills online or by phone, and employees were unable to receive external e-mails, Prolexic says.

Utility Attacks

DDoS experts say the attack that hit this utility company was not as large as some recent attacks on U.S. banking institutions. But some of the attack patterns are familiar, says Carl Herberger of anti-DDoS solutions provider Radware.

"The attacks are similar, but they are likely being waged by different actors for different reasons," he says. "The attack could have been waged by a hacktivist group or by people who could not pay their bills. It's very difficult to ascribe some ownership to these attacks."

Beyond this incident, Herberger says other unidentified utilities have been targeted in recent weeks. "This is not isolated," he says. "There have been attacks on power companies here and in other parts of the world, too."

Other Industries Ill-Prepared

The utility attack heightens concerns that industries outside of banking are not as well-prepared as banks have been to detect and deflect DDoS incidents.

"[The utility's resources] were under duress," Herberger says. "The U.S. banking infrastructure is under attack, and has been, yet other industries are not so prepared."

Marty Meyer, president of DDoS-prevention provider Corero Network Security, says the utility attack was 10 times smaller, in gigabytes, than the latest wave of attacks hitting U.S. banks. "But just like we've seen the bank attacks progress, we can probably expect the same thing in attacks against other industries," he says.

At first, many observers said the bank attacks were just annoyances, Meyer says. "But now we've seen the attacks evolve to what we saw with the Bank of the West, where funds were actually transferred out," he adds. "If things like this evolve from annoying to actual attacks waged in combination with zero-day and server-targeted exploits, which are increasingly targeting cloud-based applications to get inside the network, then we could have some serious problems."

Meyer's greater worry: Attacks on industrial control systems. "This is why it's good for any industry to pay attention here to what the banks are facing," he says. "This attack on this utility could be an early warning shot and could be a signal that attacks against other industries will evolve like they did against banks."

Phase 3 Bank Attacks

• 1
• 2

Follow Tracy Kitten on Twitter: @FraudBlogger