Open speculation on the source of a series of Distributed Denial of Service (DDoS) attacks targeting U.S. financial institutions continues to make the rounds on the web, with fingers pointing at the Iranian government, Russian crime syndicates, and rumors that the operation may be a false flag event to garner support for another American military operation in the Middle East. But the problem with accurate attribution is that its largely circumstantial, so who’s to say for sure?
This week HSBC officials confirmed that the international bank has joined the ranks of targeted institutions, which include Wells Fargo, US Bank, PNC, Bank of America, JPMorgan Chase, Capital One, Suntrust Bank and Regions. As with the others, HSBC reported they experienced minor website disruptions, and offered assurances that no customer or corporate data was compromised in the attacks.
The attack came just days after the Islamic extremist group Izz ad-Din al-Qassam Cyber Fighters vowed to continue attacks targeting U.S. financial institutions in protest of a widely denounced YouTube video. But there is continued chatter that the group may not be the real culprits.
One of the first to place blame at the feet of the Iranians was Senator Joe Lieberman, who several weeks ago stated that he believes the Iranian government forces may be responsible for the continued assault on the financial institutions. “I don’t believe these were just random hackers. I think this was done by Iran and the Quds Force, which has its own developing cyberattack capability,” Lieberman had said on C-SPAN.
This week, James Rohr, CEO of PNC Bank, told CNBC that unnamed U.S. government officials traced the attacks to Iran. “Now they’re talking about they sourced it from Iran… The government have come out and said they’ve traced it to Iran,” Rohr is quoted as stating, though he declined to specify where the information came from.
The notion is plausible, as the Iranian government is fairly convinced they have been the target of numerous attacks from the West and Israel by way of sophisticated designer malware like Stuxnet and Flame. But given the Iranians well documented technical savvy, one would wonder why they would resort to such remedial actions as limited duration DDoS attacks, typically the dominion of hacktivist types.
Then there is the more well-founded speculation by authorities and some security experts that the DDoS attacks were being used as a diversionary tactic in unison with the spear-fishing campaign by criminal syndicates in Russia.
On September 19, the Financial Services – Information Sharing and Analysis Center FS-ISAC had warned member institutions to be vigilant after having received “credible intelligence regarding the potential for DDoS and other cyber attacks” aimed at the financial sector. The advisory was issued just one day after FS-ISAC, the FBI and the Internet Crime Complaint Center (IC3) jointly published an alert warning of an uptick in the targeting of financial institution employee network access credentials in an attempt to conduct fraudulent wire transfers.
“The DDoS attacks were likely used as a distraction for bank personnel to prevent them from immediately identifying a fraudulent transaction, which in most cases is necessary to stop the wire transfer,” the advisory stated.
Some mainstream news outlets and prominent security journalists have jumped on the bandwagon citing evidence that there is a “mega-heist” underway at the hands of Russian criminal networks. The suspected operation could be responsible for the spate of DDoS attacks, or the mobsters may be simply taking advantage of the situation by piggybacking on hacktivist activities – no one can say for sure.
If that’s not enough intrigue for you, how about tossing in a little propaganda and darkops by the U.S. and Israeli governments in an effort to justify war with Iran? The tinfoil-hat theory proposed by former actor and NASA employee Michael Rivero is garnering a lot of attention on the Internet from the conspiracy-minded, though it requires some level of imagination.
The problem here is one of accurate attribution for cyber attacks. In most cases, if the attacker is highly skilled, it is nearly impossible to clearly determine the origin of an event, and even more difficult to ascertain if the attack was state-sponsored or instigated by individual actors. The use of multiple proxies, internet routing tricks, employing compromised systems belonging to a third-party, and the use of spoofed IP addresses can all be easily coordinated to give the appearance that an attack is originating far from the actual source.
“The lack of ability to supply attribution in cyber attacks is one of the key differences that sets cyberwar apart from traditional conflicts. A state can wage a niggling series of disruptive attacks while being shielded from retribution. This is a feature shared with covert assassinations and sabotage,” IT Harvest’s Chief Research Analyst Richard Stiennon, told Security Bistro.
So who’s to say with any certainty where the attacks are emanating from, what the real motivation is behind the assaults, or who might be looking to take advantage of the situation for their own benefit? Speculate as you may, but the problem with accurate attribution is that it is not always possible, the bad guys know this and use it as a strategy, and the good guys do to. Welcome to the cyber age.