U.S. financial institutions are apparently the main targets for hackers bent on disrupting the banks’ online business, combining old tools and new tricks to muster a whole new class of zombie computers into attacking bank servers. But even as banks level accusations of state-sponsored hacking, the identity of the attackers is still not entirely clear.
Certainly the banks and their allies in the U.S. government haven’t been shy about calling out the attackers. Last week the bank security experts were concluding publicly that the nature of the attacks meant that it could not be anything less than a state-sponsored cyberattack from one of the U.S.’s biggest bogeymen, Iran.
The reason for fingering Iran was the sophistication of the attackers, who used centrally controlled botnets to launch highly targeted distributed denial of service (DDOS) attacks against banks’ infrastructure. That was not the part that freaked out the security experts… apparently new characteristics of the attacks included the addition of cloud-hosted servers within the botnets launching the attacks, lending huge computational power to the DDOS sorties, as well as aiming at servers beyond the public-facing websites that usually get smacked around.
But does this level of sophistication really point to state-level sponsors like Iran? Or are “everyday” hackers and hacktivists just upping their game in their perpetual war against banks, corporations and government agencies?
Bringing Out The Artillery
Dr. Ken Baylor, Research vice president at NSS Labs, knows his way around a bank server or two – his previous gig was a three-year stint as vice president of Security and Antifraud at Wells Fargo.
When discussing the nature of this latest set of bank attacks in an interview last week, Baylor described the scale of the attacks with a chilling analogy. Past attacks directed by groups like Anonymous and LulzSec, he said, were like people running around shooting handguns. These new attacks that marshal cloud-based resources are more like using artillery.
And well-aimed artillery, too: Baylor outlined that past DDOS attacks tended to be aimed squarely at Web servers, to which intended victims would simply add more Web-server resources as failovers when weathering an attack.
“Now they’re going after key weak systems,” Baylor said. For example, a bank’s three or four authentication servers might be new targets, and once those fail, the whole chain of online banking collapses, since customers are unable to log into their accounts.
Attackers are also using the sheer power of their newfound ammunition to launch much more sophisticated deep queries at targeted servers, which are much harder to tag as part of a DDOS attack and thus ignore.
The Fog Of War
Determining the identity of the attackers is by no means easy, beyond the technical tricks used to obfuscate the identities of the hackers. The other problem is determining motivation.
Thus far, past and present attacks have seemed very determined to not involve the theft of money, what would seem to be the obvious goal of attacking a bank’s cyber infrastructure. Indeed, after initial cyberattacks against banks proved successful, hacktivist groups began announcing their intended targets to make sure banks knew they were about to get p0wned.
But Baylor explained that soon after following through on attacks to pre-determined targets, it became known that fraudsters would take advantage of the attacks to initiate call center campaigns that would use social engineering to trick call center representatives, locked out of their downed systems, to transfer money fraudulently. After that type of activity was discovered, the original hackers stopped pre-publishing their intended targets.
It is actually this lack of monetary gain that leads security experts to believe that state-sponsored groups are behind the attacks. According to The New York Times article, “[a] hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters has claimed in online posts that it was responsible for the attacks.”
American intelligence officials, the article goes on to state, claim the hacktivist group is actually just a front for Iranian government activities and all of these activities are a calculated response to economic sanctions and cyberattacks launched against Iran’s nuclear infrastructure by the United States and Israel.
Iran, for its part, has denied these specific allegations.
“Whoever it is, it’s a show of power,” Baylor said. “They’re not out to steal. They’re out to disrupt.”
Bad Actors Or Good Hackers?
While the sheer power of the cloud-based servers would seem to suggest that the perpetrators of these attacks would have to be someone with a lot of money, time and power, other attacks would seem to suggest that this is not necessarily the case.
Consider, for a moment, the different levels of sophistication it takes to hack into a personal computer or a server (physical or virtual). Didn’t take long, did it?
The fact is that hacking into servers is only a touch more difficult than hacking into personal computers, and that’s only because PC owners are often dumb enough to allow malware onto their machines, thus making hackers’ jobs a whole lot easier. (Full disclosure: I’m one of those dummies.)
There is a recurring myth that somehow it’s very hard to hack into servers hosted on the cloud, because Amazon Web Services, Rackspace and other public cloud servers are perceived as being so secure.
Indeed, such services are very secure, emphasized Patrick McBride, vice president of marketing for Xceedium, an access control vendor for cloud computing. But that security extends only to the infrastructure level of the cloud hosts: the operating systems and networks that actually host the virtual machine “containers” in which customers’ servers reside.
What runs within the containers, though, are just as prone to the fumbles and pratfalls that any hosted server can have. Someone like me can, with a credit card and an AWS account, go out and set up a nice little Hadoop cluster in the cloud today. But if I don’t lock that server down and keep it patched and maintained, it’s just as vulnerable as it would be if it were plugged into the Internet back in my server room. Careless server admins can get their systems hacked just as easily as PCs.
“Cloud providers have done a pretty good job locking down their infrastructure,” McBride said. “But you’ve got to lock down access to your own servers.”
More Shelling To Come
Garden-variety hackers are already pretty sophisticated with their online weaponry, too. With whole botnets ready to be rented and deployed as a service against any desired targets, hackers (political or criminal) are able to acquire online weapons to use in their crusades or criminal activities.
A problem with the gun/artillery analogy is that it applies only to the level of power that can be used in an attack – it does not correlate with the sophistication or financing of the hackers themselves. If a hacker can crack a virtual server and control its computing power with little more skill than it takes to hack some poor slob’s PC and tie it to a tightly controlled botnet, then how sophisticated does a hacker have to be?
This is not to say Iran’s name can be cleared. The Middle Eastern nation could still be involved with these attacks, as might any other nation with a beef against the United States. But these attacks could just as well be the work of pro-Iranian hacker groups, any one of a slew of anti-bank protest organizations or some super-genius kid ticked off a bank foreclosed on his parents’ house.
Using sophistication as a prime identifier for state-sponsored attacks paints an incomplete picture. The truth is, building a detailed and powerful cyberattack is not like building a nuclear weapon or creating counterfeit currency – activities that typically do require government-level resources and money. Cyberattacks like the ones in question, while complex, use the same methods employed in other botnet attacks. It’s just the weapons that have changed.
Nevertheless, the fact that there’s now cloud artillery lying around for hackers to replace their virtual handguns is very bad news for banks and any other potential online targets, regardless of the attackers’ identity.
Image courtesy of Shutterstock.