Bank Cyber Attacks Enter Fifth Week as Hackers Adapt to Defenses

Capital One Financial Corp., BB&T Corp. and HSBC Bank USA said they were hit by a new round of cyber attacks, marking the fifth week of sustained assault on some of the largest U.S. financial institutions.

The banks’ websites have been disrupted with so-called denial of service attacks, some of which originated in Iran and Russia, Carl Herberger, a vice president for the network security firm Radware Inc., said in a phone interview yesterday.

“There is a target list that is essentially being worked,” said Herberger, whose New Jersey firm is working with banks to investigate the attacks. “They appear to have been near-100 percent effective, at least in bringing these financial institutions some level of duress.”

The assaults, which began last month, have differed from other types of denial-of-service attacks by commandeering commercial servers to overload bank websites with Internet traffic. The attacks have temporarily disrupted or slowed online services for customers.

There are no signs data or money have been stolen, said Herberger and Rodney Joffe, senior vice president at Sterling, Virginia-based security firm Neustar Inc. It could take months to determine if that occurred, they said.

A group calling itself Izz ad-Din al-Quassam Cyber Fighters has claimed responsibility for the attacks in statements posted to the website, saying they’re in response to a video uploaded to Google Inc.’s YouTube ridiculing the Prophet Muhammad and offending some Muslims.

Panetta Warning

The attacks continued this week despite a warning from Defense Secretary Leon Panetta that the U.S. has the ability to determine who is responsible.

“Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests,” Panetta said in an Oct. 11 speech to business executives in New York.

He said the “scale and speed” of the bank attacks was unprecedented.

Denial-of-service attacks, which are common, harness networks of infected computers to bombard websites with traffic in an effort to slow or crash them.

The use of commercial servers enabled the bank attackers to pump a larger volume of traffic at the sites, Joffe said in a phone interview yesterday.

Bank Response

The attack on HSBC, the U.S. unit of London-based HSBC Holdings Plc, prevented customers from using online banking services while not affecting customer data, Neal McGarity, a bank spokesman in New York, said in an e-mail yesterday.

BB&T customers yesterday couldn’t access the website at various times during the day, Merrie Tolbert, a spokeswoman for the Winston-Salem, North Carolina-based bank, said in a phone interview.

The attack on McLean, Virginia-based Capital One began Oct. 16 and intermittent disruptions continued yesterday, Tatiana Stead, a spokeswoman, said in an e-mail. There was no sign of account information being put at risk, she added.

Ally Financial Inc. was also investigating “unusual traffic,” Gina Proia, spokeswoman for the Detroit, Michigan-based company, said in a phone interview yesterday.

Senator Joe Lieberman, a Connecticut independent who heads the Senate Homeland Security and Governmental Affairs Committee, said last month he thought Iran was behind the attacks.

Panetta said in his speech that Iran has “undertaken a concerted effort to use cyberspace to its advantage,” although he didn’t link the Iranian government to the bank attacks.

Iranian Connection

Herberger and Joffe said the Iranian government may be behind the attacks. Definitive evidence is needed, they said.

“There’s no technical problem in forensically figuring out who did what,” Herberger said. “The problem is can you go to China, can you go to Russia, can you go to Iran and actually do the inspection of the equipment to actually know what’s going on?”

The attackers are adapting to banks’ defenses and becoming more sophisticated in their tactics, Herberger and Joffe said.

“Companies have to be very aware of what’s going on and they have to start thinking about a Plan B and Plan C,” Joffe said.

Along with using commercial servers, attackers are overloading bank websites with queries, such as requests to find branch locations, and sending encrypted data packets that bypass traditional defenses and intrusion-detection systems, Herberger said.

“We see ahead of the attacks reconnaissance, probing and scanning to evaluate the websites’ effectiveness to see if they have certain attributes in place,” he said. “It’s classic probing.”

Security experts have been concerned about the attacks because U.S. financial institutions are considered to have some of the best network defenses of any industry. Sustained attacks could disrupt customer confidence in industries beyond banking, they said.

“I feel like it’s more than an inconvenience and that people have actually lost the fundamental respect for the banks’ integrity,” Herberger said.

    Before it's here, it's on the Bloomberg Terminal. LEARN MORE