Cyber attacks on the biggest U.S. banks, including JPMorgan Chase & Co. and Wells Fargo & Co., have breached some of the nation’s most advanced computer defenses and exposed the vulnerability of its infrastructure, said cybersecurity specialists tracking the assaults.
The attack, which a U.S. official Thursday said was waged by a still-unidentified group outside the country, flooded bank websites with traffic, rendering them unavailable to consumers and disrupting transactions for hours at a time.
Such a sustained network attack ranks among the worst-case scenarios envisioned by the National Security Agency, according to the official, who asked not to be identified because he isn’t authorized to speak publicly. The extent of the damage may not be known for weeks or months, said the official, who has access to classified information.
“The nature of this attack is sophisticated enough or large enough that even the largest of the financial institutions would find it difficult to defend against,” Rodney Joffe, senior vice president at Sterling, Va.-based security firm Neustar Inc., said in a phone interview.
While the group is using a method known as distributed denial-of-service, or DDoS, to overwhelm financial-industry websites with traffic from hijacked computers, the attacks have taken control of commercial servers that have much more power, according to the specialists.
“The notable thing is the volume and the scale of the traffic that’s been directed at these sites, and that’s very rare,” Dmitri Alperovitch, co-founder and chief technology officer of Palo Alto, Calif.-based security firm CrowdStrike Inc., said in a phone interview.
The assault, which escalated last week, was the subject of closed-door White House meetings in the past few days, according to a private-security specialist who asked not to be identified because he’s helping to trace the attacks.
President Barack Obama’s administration is circulating a draft executive order that would create a program to shield vital computer networks from cyber attacks, two former U.S. officials with knowledge of the effort said earlier this month.
The U.S. Senate last month failed to advance comprehensive cybersecurity legislation and the administration is contemplating using the executive order because it’s not certain that Congress can pass a cybersecurity bill, the officials said.
The group started almost two weeks ago with test attacks that triggered multiple alerts. The assault on financial firms began last week, starting with JPMorgan (NYSE: JPM), Citigroup Inc. (NYSE: C) and Charlotte, N.C.-based Bank of America Corp. (NYSE: BAC), moving successively this week to Wells Fargo (NYSE: WFC), U.S. Bancorp (NYSE: USB) and Thursday, PNC Financial Services Group Inc. (NYSE: PNC).
The industry’s Financial Services Information Sharing and Analysis Center posted a warning on its website dated Sept. 19 that cited “recent credible intelligence regarding” potential cyber attacks.
U.S. Bancorp is working with federal law enforcement officials after the attacks caused delays for customers, Nicole Garrison-Sprenger, a spokeswoman for the Minneapolis-based company, said in an emailed statement. Customer data and funds are secure, she said.
PNC was experiencing a high volume of Internet traffic, causing disruptions for some clients, Fred Solomon, a spokesman for the Pittsburgh-based bank, said in an emailed statement.
Bridget Braxton at San Francisco-based Wells Fargo, Bank of America’s Mark Pipitone, Andrew Bernt of New York-based Citigroup and Kristin Lemkau at JPMorgan declined to comment.
A group calling itself Izz ad-Din al-Quassam Cyber Fighters claimed responsibility for the assault in a statement posted to the website pastebin.com, saying it was in response to a video uploaded to Google Inc.’s (Nasdaq: GOOG) YouTube, depicting the Prophet Muhammad in ways that offended some Muslims.
The initial planning for the assault pre-dated the video controversy, making it less likely that it inspired the attacks, according to Alperovitch and Joffe, both of whom have been tracking the incidents. A significant amount of planning and preparation went into the attacks, they said.
“The ground work was done to infect systems and produce an infrastructure capable of launching an attack when it was needed,” Joffe said.
Jenny Shearer, a spokeswoman for the Federal Bureau of Investigation, and Peter Boogaard at the U.S. Department of Homeland Security, declined to comment.
Sen. Joe Lieberman, a Connecticut independent who heads the Senate Homeland Security and Governmental Affairs Committee, said last week he thought Iran was behind the attacks.
Alperovitch and Joffe said that while they think one group is behind the attacks, they didn’t have enough information to prove or disprove Lieberman’s assertion that Iran is responsible. The U.S. official with access to classified information said it’s premature to attribute the attacks to Iran’s government.
The attacks flooded the bank websites with 10 to 20 times more Internet traffic than the typical denial-of-service attack, Alperovitch said. He said that no data were stolen and no networks infiltrated by hackers.
The group claiming responsibility named the days it planned to attack and identified the banks it would target in a separate posting on pastebin.com.
That hackers telegraphed their intentions and targets shows the difficulty industries and governments face in keeping up with fast-moving network threats, said Atif Mushtaq, senior staff scientist with FireEye Inc., a Milipitas, Calif.-based security firm.
“They had already declared they would hit these banks at these times, and still we are seeing that these banks are not able to handle these DDoS attacks,” Mushtaq said. “It’s clear that the current infrastructure under the control of these banks is not good enough.”
There’s no sign the attacks are going to stop, Alperovitch and Joffe said.
“I would not be surprised to see another pastebin posting that provides a new set of targets for this weekend and next week,” Joffe said.
A broader or more sustained denial of service attack could shake consumer confidence in the banking industry, Joffe said.
“If banking infrastructure was affected in this way for an extended period of time, the natural outcome of that is a loss of faith,” he said. “If you can’t get to your banking site for three or four hours on a day when you have to do things, you start thinking about what are my alternatives because this might happen again.”
The banking industry worries about an organization with more resources launching attacks, said Ed Powers, head of security and private issues for U.S. financial firms at Deloitte & Touche LLP.
“This is coming toward the end of the month; it’s badly timed,” Joffe said. “People have to pay bills today and tomorrow.”
Previous denial-of-service attacks proved to have been cover for looting bank accounts and stealing customers’ or employees’ personal information, said another private cybersecurity analyst, who asked not to be identified to maintain client confidentiality. There’s no evidence so far that the latest attack has included theft.
If the financial industry, which spends more on Internet security than any other industry and has its largest and most extensive defenses, can’t handle this, it’s not clear whether any critical-infrastructure industry can, the analysts said.