Iran May Not Be Behind Bank Cyberattacks
CREDIT: Gregory Maxwell/GNU Free Documentation License
There's really not much evidence that the government of Iran is behind the ongoing wave of cyberattacks on U.S. bank websites, say many security experts.
"I don't consider any attack I can do in my spare time as 'nation-state-sponsored,'" said Robert David Graham, chief executive officer of Atlanta-based Errata Security.
"[It] could just as well be a loose group of those sympathetic to Iran and the Middle East and angry as hell at U.S. involvement there," said George Smith, a senior fellow at the Alexandria, Va.-based think tank GlobalSecurity.org.
A front-page story in The New York Times Wednesday (Jan. 9) repeated what politicians and unnamed government officials have been saying for months: Iran has to be behind the attacks.
Yet the officials have failed to offer any proof. (Tehran denies any involvement.) Instead, the Times article cited several experts who said the size and sophistication of the distributed of denial-of-service (DDoS) attacks was unprecedented and hence implied the backing of a nation-state.
The security experts whom TechNewsDaily communicated with weren't so sure.
"We have no idea who is behind these attacks, and unless these unnamed sources want to explain how they might have derived attribution, I imagine they don't, either," said Chester Wisniewski, a senior security adviser with the British anti-virus firm Sophos.
"Is it an amateur, professional or nation state?" asked Steve Santorelli, a former Scotland Yard and Microsoft computer-security expert who now works with Lake Mary, Fla.-based Team Cymru. "The answer to that would only come after a long and technical specialist investigation involving multiple different folks."
The DDoS attacks against the bank sites are several orders of magnitude higher than the attacks led by the hacktivist movement Anonymous against PayPal, MasterCard and dozens of government sites over the past few years.
Anonymous enlisted dozens, maybe hundreds, of supporters worldwide to install free site-load-testing software on their home PCs and use it to overwhelm Web servers on targeted sites by making millions of bogus requests for pages.
The bank attacks, on the other hand, have often used a DDoS tool called "ItsOKNoProblemBro" to hijack and launch attacks from other Web servers, greatly amplifying the bandwidth of the bogus requests. An Israeli security firm found one such hijacked server this week.
In DDoS attacks, neither the targeted servers nor the data on them are actually damaged. But websites can be cut off from the rest of the Internet, which for online banks adds up to a lot of lost business.
Even the well-defended websites of banking titans such as Wells Fargo, Bank of America and JP Morgan Chase have suffered connection problems under the weight of the recent onslaughts.
... that anyone can use
That's still far from a smoking gun.
"ItsOKNoProblemBro is far from sophisticated malware. It's really rather simple," said Roel Schouwenberg, a senior anti-virus researcher with Moscow-based Kaspersky Lab. "Going strictly by the publicly known technical details, I don't see enough evidence to categorize this operation as something only a nation-state-sponsored actor could pull off."
"Lots of non-nation-state actors can amass staggering bandwidth," noted security researcher Bruce Schneier. "And lots of state actors can't."
Sean Sullivan, a security adviser at Helsinki, Finland's F-Secure, thinks the attacks are too well-organized to be the work of pure amateurs.
"There does appear to be a good level of coordination," Sullivan said. "Perhaps the attacks are being carried out by useful idiots — a group of hackers funded by Iran (or other party) but not a professional 'hacker corps.'"
Yet in Graham's opinion, mounting an attack of this scope really isn't that difficult.
"Hacking computers in data centers is easy," he said. "Any data center hosts websites with obvious flaws, so it's easy to target a data center, then find a vulnerable server.
"Even easier yet is just get a lot of VPS machines," Graham added. "For $10 per virtual private server in 100 data centers around the world, you could easily flood a victim with 100 gbps [gigabits per second]. This takes zero hacking skills and really not too much money."
When the bank attacks began, there was suspicion that they might be providing cover for cybercriminals, who would slip past distracted security software and personnel to raid online accounts.
That doesn't seem to have happened, but Santorelli admits criminals still could be behind the attacks.
"A nation state would perhaps have the resources, but so would a lot of criminal syndicates and rogue individuals," Santorelli said. "These same folks would also have a criminal motive, especially if there was some way to generate a financial reward from the attacks."
Denial of government backing
Iran has denied involvement in the attacks, which began in mid-September. But someone else claimed responsibility right from start: a previously unknown Islamist hacktivist group, the Izz ad-Din al-Qassam Cyber Fighters, or Qassam Cyber Brigades, which calls the campaign "Operation Ababil."
(Ababil, "small birds" in Arabic, may refer to a story in the Quran about birds who defended Mecca by dropping stones on an invading army — or to a type of Iranian-made aerial drone.)
The group has posted several statements online in both English and Arabic (but not in Farsi, the language of Iran) accurately predicting the timing and target of each attack.
It says that the attacks are protests against YouTube's hosting of the offensive "Innocence of Muslims" movie trailer, and of the movie itself. It denies any connection to any government.
On Tuesday the group offered a complicated formula to determine how long the attacks would continue, based on the number of YouTube viewings of "Innocence of Muslims" and how much it estimated each DDoS attack cost the targeted banks.
The Qassam Cyber Fighters calculated that the DDoS campaign would last 14 more months unless the video clips were taken down. Google has refused to do so.
Izz ad-Din al-Qassam was an imam who led resistance to French and British occupiers and Jewish settlers in Syria and Palestine in the 1920s and 1930s.
The military wing of the Palestinian Islamist political party Hamas also named itself after Qassam, but the Qassam Cyber Fighters deny any link to Hamas.
The case for Iranian hacktivists — or maybe a false flag
Iranian government involvement certainly can't be ruled out, and there's evidence that Iranian amateurs are involved.
In September, independent Bulgarian security researcher Dancho Danchev did an analysis of the attackers and their methods.
He found that just before the attacks began, some of the earliest versions of the malware used were uploaded by someone using the name "Marzi Mahdavi II" — the name used on an Iranian woman's personal Facebook page.
Danchev also noted that there was a recruitment appeal on Facebook for participants to download the DDoS tool and take part in the attack. There seemed to be little attempt to disguise identities.
"Is the Iranian government really behind this campaign, or was it actually the work of amateurs with outdated and virtually irrelevant technical skills?" Danchev asked.
Comparing it with a previous Iranian hacktivist campaign, he said, "We once again see a rather limited understanding of cyber operations."
But there's another possibility, Danchev noted. The entire operation, including the Qassam Cyber Fighters postings, could be a "false flag" operation designed to pin blame on Iran.
"This is the first public appearance of the group that claims responsibility for these attacks," he pointed out. "Virtually anyone on the Internet can engineer cyberwarfare tensions between Iran and the U.S. by basically impersonating what's believed to be an Iranian group."