The cybernetic threat currently imposed on the financial system is more severe than ever. Today, more than one half of all cyber attacks are aimed at financial organizations. There are many reasons for this: from hacking as a personal challenge of hackers, through theft of money, fraud, extortion, espionage, all the way to attempts to inflict functional damage. These attacks take place every day, at an alarming rate and with an ever-increasing level of sophistication and complexity.
The importance of the financial sector, along with its dependence on computers, makes it highly susceptible to the threat, all the more so when the motivations of the attackers are not financial. Most organizations and individuals are concerned primarily about the theft of money, identities, sensitive and even confidential information. However, the cybernetic threat is far more serious than that: it can be destructive and can practically immobilize organizations and nation states. It is impossible to overstate the severe implications of an attack on the financial sector.
The financial system is based on the confidence of the public, which counts on the availability of their financial information and money. As the threat realization potential increases, along with an ever-increasing dependence on readily available, on-line information, the cybernetic threat is evolving into a strategic, operational and public image risk factor for each and every bank and for the financial sector in general. Most organizations justly regard the financial system as the element chiefly responsible for securing their financial information and funds. Interestingly, about two thirds of all organizations realized that they had experienced financial fraud. Since early September 2012, the financial system in the US has been under a cyber attack of unprecedented strength and proportions, aimed at denying the service of the US financial system, including dozens of major banks in the US.
What sets these recent attacks against the financial system apart? Why has this issue occupied the headlines so predominately in recent months? A review of recent events in cyberspace along with events in “real space” and the recent statements made by senior government officials in the US indicates that this time, the attack may have been timed and coordinated by a nation state – possibly Iran. If that is indeed the state of affairs, then the recent events should be regarded as a serious escalation of the cybernetic threat, of which we have only seen the tip of the iceberg so far. The conclusion is that the rules of the game are changing and only those quick enough to realize that the threats in virtual reality are tangible, sophisticated and evolving at a tremendously rapid pace – would improve their chances of survival.
On September 19, 2012, the Financial Services Information Sharing and Analysis Center (FS-ISAC) of the US Financial Services Sector raised the threat alert level for cyber attacks on the financial sector from “Elevated” to “High”, the second most severe threat alert level. The decision to raise the threat alert level was made on the basis of “reliable intelligence information” regarding a potential threat of cyber attacks against US financial institutions. One day previously, the FBI, FS-ISAC and IC3 (Internet Crime Complaint Center) issued an alert to US banks regarding a significant threat of focused cyber attacks against them.
One day prior to that, a group calling itself “Izz ad-Din Al-Qassam Cyber Fighters” published a declaration according to which they intended to disrupt the operations of the US financial system in order to bring about the removal from the web of the movie “Innocence of Muslims” – the same movie that had triggered the violent outbursts of Muslims around the world. In the declaration it published, the group stated: “…Muslims must do whatever is necessary to stop spreading this movie,” and that they intended to accomplish that goal by damaging assets important to the US – including the financial system. In the weeks that passed since then, numerous banks were attacked by this group in a concerted, synchronized operation designated Operational Ababil.
The cyber assault began with a denial-of-service attack against the on-line banking services of the Bank of America, the second largest bank in the US, and the New York Stock Exchange website. The attackers warned that their assault might be executed in different ways. On the following day, the assault continued, this time with an attack on JP Morgan Chase – the largest bank in the US. A week later, the group attacked Wells Fargo, US Bank and PNC. After a hiatus of about a week and a half, the assault was resumed during the second week of October, with attacks against JPMorgan Chase, Capital One Financial Corp, SunTrust and Regions Financial Corporation. A week later, BB&T Corp and HSBC were attacked (it is possible that the Anonymous organization was involved in the attack against the last bank).
On September 23, democratic senator Joe Lieberman stated in an interview to the C-SPAN network that Iran was the entity behind the bank cyber attacks. On the same day, Gholam Reza Jalali, the head of Iran’s Civil Defense Organization, hastened to deny Lieberman’s accusations, stating that “Iran has not hacked the US banks.” As a matter of protocol, Jalali did not lie. Iran has not hacked the banks, because the banks were not hacked – their services were denied. Generally, Jalali knows all too well that tracing the source of cyber attacks to any degree of certainty is extremely difficult (the “attribution problem”), so it was very easy to deny that Iran was behind the attack – and very difficult to prove otherwise. Iran, which had been the target of the world’s most sophisticated cyber attacks, is fully aware of that. Owing to the attribution problem, it is difficult to identify and pinpoint the source of the attack. At the same time, a methodical process of cyber forensics, including analysis of data from computers used for the attack, analysis of the traffic, methods of operation, a comparison between attacks, will enable us to learn whether we face a nation state, a criminal organization, ‘hacktivists’ and so forth. Furthermore, it will allow, with some added motivation and intelligence, for the consolidation of an assumption as to the identity of the attackers.
So far, the following has been ascertained: the attackers succeeded in generating unusually large-scale attacks. In order to produce such attacks, an intelligent and sophisticated attack network is required. Additionally, the attack methods and modes of operation differed between the attacks against the various banks. At the same time, the amount of traffic generated by the attacks and the fact that the banks were unable to defend themselves against those attacks probably point to an organization possessing substantial resources. The primary attack tool was “Itsoknoproblembro”, a Distributed Denial of Service (DDoS) toolkit. This DDoS toolkit uses BRO-bots – breached servers into which the attack command is “pushed”, unlike a Botnettype network, where breached servers are utilized. In this method, the attackers take advantage of the fact that the servers have more communication capacity available for the attack, and the attack may be executed using fewer computers.
The Iranian Direction
The organization that claimed responsibility for the cyber attacks calls itself “Izz ad-Din Al- Qassam Cyber Fighters” and also operates under the name “Qassam Cyber Fighters”. If Iran is the entity behind the attacks, it will be reasonable to assume that it executes the attacks through its Quds Force – the special unit of the Iranian Revolutionary Guards responsible for spreading the message of Islamic Revolution. The Quds Force has a long history of supporting such organizations as Hezbollah for the purpose of carrying out terrorist attacks, and its people are well established among Shiite communities around the world.
While speaking about the Iranian cyber capabilities at the Senate Select Committee on Intelligence last January, James Clapper, the Director of National Intelligence (DNI), stated that Iran’s offensive cyber capabilities (those directed against the US) had improved dramatically in recent years, in depth and complexity. In his assessment, the Iranian government and the supreme leader reached the conclusion that Iran can afford to attack the US using cybernetic means. In November 2011, Iran established a defensive cyber staff to defend its critical infrastructure systems. Last February, brigadier general Gholam Reza Jalali, the head of Iran’s Civil Defense Organization, announced that Iran was erecting a defensive cyber army to defend its vital military networks. Iran did that in response to the cybernetic arming of the US – if the US reduces its forces and increases its cyber forces, Iran should do so all the more.
The numerous statements made by Iran to the effect that they do not develop cyber capabilities are not true. Some estimates maintain that the Iranian Revolutionary Guards Corps have a cyber warfare unit. According to these estimates, about 2,400 persons serve in that unit and its budget for 2010 was $76 million. In 2010, the Iranian Chief of Staff stated that their cyber army was the second largest in the world. This statement may lead to the possible conclusion that the Iranian army employs hackers who perform such activities, and these hackers go by the name of “The Iranian Cyber Army”. The connection between these elements is unclear, but this organization has carried out extensive offensive operations against several international organizations in the past. Last July, a “senior official” at the Iranian cyber staff threatened the US that they should take the Iranian “eye for an eye” doctrine seriously. “The Iranian Republic has significant (offensive) capabilities, and it will respond to (US) warmongering,” said the Iranian official. Apparently, Iran realized that this field is essential in the context of modern warfare.
Iran is fully aware of the attribution problem associated with cyber attacks. Iran threatened repeatedly that should its nuclear facilities be attacked, it will respond by attacking the US bases in the Gulf and by launching missiles at Israel. Iran openly blamed Israel and the US for the cyber attack against its nuclear facilities, but never fulfilled its threats. One may assume that the Iranians were unable to prove who had actually attacked them, beyond a shadow of a doubt. The same attribution problem that worked for the benefit of those who had launched the cyber attack against Iran, now works for the benefit of the Iranians in connection with the cyber attacks against the US banks – assuming Iran was, indeed, the entity behind these attacks. The identity of the actual attackers is nothing but conjecture and speculation at the moment.
Ram Levi serves as a cyber consultant to the Ministry of Science and Technology’s National Research and Development Council, and as a research fellow at the Yuval Ne’eman Workshop for Science, Technology and Security at Tel-Aviv University.
Lior Tavneski, a research fellow at the Yuval Ne’eman Workshop for Science, Technology and Security at Tel-Aviv University,
Deborah Hausen-Kuriel, attorney at law, an associate at the Yuval Ne’eman Workshop for Science, Technology and Security at Tel-Aviv University,
Moti Geva, a doctoral candidate majoring in Information Security at Bar-Ilan University.