The resumption this week of distributed denial of service attacks against major U.S. banks brought not only more cost and disruption to financial institutions trying keep online services available, but it also raised new questions about the funding and true motives behind the attacks.

A number of service disruptions were reported this week as Izz ad-Din al-Qassam Cyber Fighters lived up to their promise on Pastebin to kick off a third round of DDoS attacks in protest of the continued availability of the movie “Innocence of Muslims” on YouTube. These attacks, however, are much different than the one-and-done types of DDoS attacks preferred by other socially and politically motivated groups.

Banks are no stranger to DDoS attacks, but since September, these attacks in particular have been noteworthy for the amount of traffic generated toward the banks, as well as for their targeting of applications and specific features available on the banking sites, the steady growth in the number of web servers used in the attacks, and the automated tools being used. Add it all up and it equals some hefty funding and know-how, either hackers bred in-house, or contracted from the outside.

“There’s no doubt in my mind that this is well funded at some level,” said Arbor Networks director of security research Dan Holden. “There’s no way this can go on for this long and with this type of investment without someone caring. Historically, if you look at hacktivism, it’s been driven by some sort of incident and usually they can’t drive an operation for this long. Usually they just lose interest.”

Attribution is always challenging in any kind of attack and it’s premature to call these attacks state-sponsored, but there has been skepticism from the outset about this particular campaign. Dmitri Alperovich, cofounder and CTO of security company CrowdStrike, told Threatpost in September the protestations over the movie were a red herring.

“I don’t buy that their motivation is in response to the video; this group has been carrying out attacks for months,” he said. “Their motivation is to send a message that this is what they’re capable of.” Alperovich said the group’s name is the same as the military wing of Hamas and it claims to have a Jihadist cause, he said. “If a terrorist group is interested in sending a message to us, this is one way of doing so. It’s relatively inexpensive and powerful message.”

The group behind these attacks has evolved its capabilities and is using a number of automated toolkits, including Brobot and itsoknoproblembro to carry out not only high-volume attacks of upwards of 70-100 GBps, but they’re able to do so against simultaneous targets. And this is more than just pinging a banking site with hundreds of thousands of synflood calls; the attacks are also application centric. In some cases, they’re going after application log-ins or trying to continuously download large files such as user agreements, policy statements and more.

The attackers are also using compromised web servers to fire off these requests, and according to experts, seem to be using simple Google searches to find vulnerable servers with PHP vulnerabilities or other flaws that are easily exploitable. Web servers have a lot more bandwidth than a compromised home machine, for example, thousands of which make up traditional botnets used in DDoS campaigns. Owning a web server, very much an old-school method of DDoS attacks against targets, is much more efficient for the attacker than waiting for clients to become infected with a Java exploit and malware, for example.

“The average home user has 10 MBps capabilities with broadband, with an upload speed of 1.5 MBps. To use that as a tool to attack the banks, to get 70 GBps, I would need 70,000 users,” said Barry Shteiman, senior security strategist at Imperva. “Web servers by designed are supposed to serve a large amount of users with half or 1 GBps of upload speed. I would need only 70 to 150 servers to get the same result.”

Taking this approach, Shteiman said, keeps costs down for an attacker. Using a Google search can render a long list of vulnerable web servers that are easy to find and difficult to patch. This is much simpler than writing or buying an exploit that bypasses a lot of client-side protections.

“If I know it’s going to take a lot of effort and money and bypass protections on user platforms, I need to find the best vector,” Shteiman said. “On websites, a lot of vulnerabilities are far less patched; we know most organizations are not covering Web threats.”

The banks, meanwhile, are defending well against these attacks, experts said, though they too have to spend more and evolve as attacks do.

“The attackers’ focus on a particular site is increasing because the banks’ defenses are so good at this point,” Arbor’s Holden said. “DDoS is not a set-and-forget type of defense. Because these attacks are so targeted a lot of people are no doubt still involved in defending against them; a lot of folks are not sleeping right now.”

Holden said he’s not surprised given the presumed funding, that the attacks and capabilities have grown.

“They have to in order to keep the campaign growing,” he said. “I expect to see further tool development, possibly targeted tools depending on how a bank website is built and structured. They’re learning about defenses for each particular site. Based on what they learned and what’s working, they are able to create tools with a particular site in mind.”

Categories: Critical Infrastructure, Vulnerabilities