A series of sophisticated foreign cyberattacks against the websites of U.S. banks represents a serious escalation in global cyberconflict, according to security specialists and former officials.
“These are significant attacks,” retired U.S. cyberwarrior Lt. Gen. Harry D. Raduege said. “They should be considered a warning of the cyber cold war.”
Sen. Joe Lieberman, Connecticut independent and the chairman of the Senate Homeland Security committee, says he believes Iranian special forces were behind the attacks, which have struck a half-dozen major U.S. banks over the past two weeks.
If that is true, it would make the attacks the first foreign cyberstrike aimed at disrupting U.S. critical infrastructure and affecting the daily lives of ordinary Americans, rather than attempting to penetrate computer networks at government agencies or private firms to spy on them.
The attacks prevented many customers from getting online for up to a day or more, according to statements by the banks and reports on social media sites. They appear aimed at undermining customer confidence, according to Mr. Raduege, now chairman of the Deloitte Center for Cyber Innovation.
“If you have been attacked like this, it can hurt customer confidence and it can hurt your brand,” he said. Companies “must have cyberpolicy and strategy” to counter such attacks and protect their reputation, he added.
But temporary Web difficulties generally do not cause banks to lose customers, noted information security consultant Adam L. Rice.
“No one likes the bad press, which is the point of the attacks. But studies have shown that people will probably not quit their banks because” of attacks such as these, Mr. Rice said.
The attacks flooded the banks’ websites with fake Internet terrific, meaning real users could not get through to log on, in same cases for several days. Known as a “distributed denial of service,” or DDoS, attack, this brute-force tactic is one of the oldest and simplest cyberattacks to stage — especially against entities such as banks, which have very secure computer architecture.
“For highly protected environments, it is easier to perform a DDoS [attack] than performing an intrusion or other more advanced attacks,” said Jaime Blasco of the European cybersecurity company Alienvault.
The hackers advertised online to recruit volunteers — known as “hacktivists” — to join in the attack, using a special program users can download, which turns their computer into an Internet weapon the hackers control.
But given the high Internet-traffic capacity of the target websites, Mr. Blasco added, it was doubtful that hacktivists could have achieved the impact they did unaided.
“It is very likely that other actors have been involved using other more advanced techniques” to generate traffic to block the sites, he said.
Mr. Lieberman said last week that he believed Tehran was behind the attack, specifically a special unit of Iran’s Revolutionary Guard Corps.
“I don’t believe these were just random hackers,” he said on C-SPAN. “I think this was done by Iran and the Quds Force, which has its own developing cyberattack capability.”
Mr. Lieberman said he thought the efforts targeted banks because of U.S. financial sanctions against Iran. “It is if you will, a counterattack in response to our sanctions against Iranian financial institutions,” he said.
The Web attacks on U.S. banks come as the White House confirmed that it, too, had been the target of hackers recently.
This attack was launched via a targeted email sent to user of an unclassified network, a White House official told The Washington Times in a statement. “In this instance the attack was identified, the system was isolated, and there is no indication whatsoever” that any data had been stolen, the official said.
Mr. Raduege dismissed the attack as “one of the millions of low-level daily attacks against government agencies and private companies a part of the daily cyber cold war.”
He said that any cyberattack could be sorted into one of three categories: The lowest was what he called “tactical, a cold war … a small ‘W’ war” — the continuing daily assault by cyberspies, criminals and other malefactors against government and private sector systems.
The second was “operational” — serious attacks actually aimed at disrupting infratsructure such as the bank attacks. At this level, he said, “There is political confrontation … a lot of accusations flying back and forth [between countries] a lot of finger pointing.”
The third level was “strategic” — attacks designed to destroy infrastructure, kill citizens or cause financial devastation. At this level, said Mr. Raduege, there is “military confrontation … that’s the one we want to stay away from.”
Banks and other big commercial entities can easily buy services to mitigate these kinds of attacks, said Mr. Rice, who was previously head of security for the world’s largest Internet service wholesaler, Tata Communications.
Service providers “have enormous capacity, so they absorb the attack, clean it [of the fake traffic], and pass [the real visitor’s traffic] along [to the website] clean,” said Mr. Rice. But these DDoS mitigation services are very expensive.
“If a bank’s Web page is down for a few hours … then an apology is [usually] much cheaper than the service,” Mr. Rice said.