Update

2 06 2013

Distributed-denial-of-service attacks against U.S. banks have been dormant for nearly four weeks, leading security experts to question when and if a new phase of attacks might emerge.

The hacktivist group Izz ad-Din al-Qassam Cyber Fighters, which since last September has taken credit for the hits against banks, claimed its attacks were in protest of a YouTube movie trailer deemed offensive to Muslims. But some observers have speculated that Iran was backing the DDoS strikes against banks as payback for cyber-espionage attacks, such as Stuxnet, Flame and Duqu, that have over the last three years affected Iranian computer systems.

Rodney Joffe, senior technologist for online security provider Neustar Inc., says the current lull could be a sign that the attacks waged by the hacktivist group are over. “It’s a wild conjecture,” Joffe says. “But we may have seen the end of them.”

Joffe says indirect activity linked to the al-Qassam Cyber Fighters’ botnet, known as Brobot, has continued. But there have been no direct attacks. And that lack of activity raises questions about whether al-Qassam will wage any more attacks, Joffe says.

“The botnet is no bigger than it was,” he says. “We take [compromised] machines down and then new machines keep getting adding. I still have hope that the government will have some impact or effect, but don’t know one way or the other.”

The Federal Bureau of Investigation in April warned that Brobot had been modified, “in an attempt to increase the effectiveness with which the [botnet’s] scripts evade detection.” The FBI said the actors behind Brobot were changing their attack methodology to circumvent mitigation efforts put forth by U.S. banking institutions (see FBI: DDoS Botnet Has Been Modified).

The FBI also noted that as of April 10, 46 U.S. banking institutions had been targeted by more than 200 separate DDoS attacks of “various degrees of impact” since September.

Financial fraud expert Avivah Litan, an analyst at Gartner, says intervention from federal authorities may have spurred al-Qassam to halt its attacks. But, like Joffe, she says there is no way to be sure. “I do know the banks were trying to get the White House to do something politically, and that could be what’s happened.”

But other experts, such as Mike Smith of Web security provider Akamai Technologies, don’t think there’s been anything going on behind the scenes to keep the attacks from resuming.

Different Attack Actors

Other experts anticipate that another group could emerge to resume DDoS attacks against banks if Izz ad-Din al-Qassam Cyber Fighters ends its campaigns.

“There has been a lull in the al-Qassam-like attacks,” says Scott Hammack, CEO of DDoS-mitigation provider Prolexic. “But I would definitely not misunderstand this lull as being an end to these types of attacks. The attacks will continue; it’s really just a question of when, not if.”

The current break comes after a third phase of hacktivist attacks, which kicked off in March. The latest campaign ran eight weeks, the longest-running so far.

The break from the third phase of attacks has lasted four weeks so far. By comparison the break between the first campaign, which began Sept. 18, and the second campaign, which kicked off Dec. 10, lasted six weeks. And the break between the second and third campaigns lasted five weeks.

Hammack, like Smith, says Brobot, as well as other botnets, continue to grow. In fact, over Memorial Day weekend, Prolexic helped to mitigate a 167-gigabyte DNS-reflection attack, the largest attack recorded to date, Hammack says. “The attack traffic was global and required us to use all four of our cloud-based scrubbing centers,” he says.

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: