Those were some of the bigger mysteries of last week’s cyberattacks on Wells Fargo, U.S. Bank, PNC, the New York Stock Exchange and others, that caused intermittent Internet outages and delays in online banking.
A group claiming Middle Eastern ties, the Izz ad-Din al-Qassam Cyber Fighters, took credit for the attacks online. They claimed to have taken the Web sites down using basic online applications. But security researchers said those methods were far too amateur to have been effective.
Indeed, representatives for PNC, U.S. Bank and Wells Fargo all said that while they had systems in place to fend off such “denial of service”, or DDoS, attacks — in which hackers bombard a site with traffic until it falls offline — in this case, the volume of traffic was simply “unprecedented.”
“They must have had help from other sources,” said Jaime Blasco, a security researcher at AlienVault, who investigated the attacks.
Those sources, it turns out, were data centers around the world that had been infected with a sophisticated form of malware that can evade detection by antivirus solutions. The attackers used those infected servers to simultaneously fire at American financial services companies until they fell offline.
“That method has never been used to this degree before,” said Carl Herberger, a vice president at Radware, who has been investigating the attacks on behalf of many of the victims. “By infecting data servers, the attackers were given the horsepower and commercial grade capabilities to affect a massive attack.”
Typically DDoS attacks are deployed through an application — like the one hackers claimed to use in their online postings — or botnets, networks of infected zombie computers and devices that do hackers’ work for them.
In this case, hackers infected data centers first. The malware they used was designed to encrypt itself in order to hide from antivirus solutions — defending against such malware is a little like fighting an invisible man. The attacks infected data servers all over the world and then instructed the servers to simultaneously fire at each bank until they took each Web site offline.
Mr. Herberger said Radware traced one of the infected servers back to Saudi Arabia. That does not mean, however, that the attacks originated in Saudi Arabia because the infection could have originated anywhere.
Mr. Herberger said it was still unclear who was behind the attack. Interestingly, he said Radware’s researchers did not find any evidence that the attackers used any of the attack tools hackers posted online. “From our vantage point, those tools were not used,” he said.
Among remaining unknowns were how these servers were infected in the first place, how widespread the infection rate is, and–perhaps most troubling of all–whether the servers could be leveraged to inflict more damage on another target tomorrow.
“We don’t have great answers,” Mr. Herberger said. “Until we inoculate this tool, we can’t stop the bullets from being fired, we can only try to limit the bullet’s impact.”
He added, “It’s the classic chess game that is security.”