Banks fighting cyberattacks unlikely to get government relief soon

Banks seeking help from the U.S. government in battling a campaign of cyberattacks that defense officials say is being led by the Iranian government are unlikely to get much relief without a diplomatic solution, security experts say.

Several affected banks, including PNC Financial Services Group, SunTrust Banks and BB&T, want the government to stop or at least lessen the severity of the denial-of-service attacks that started about a year ago, The Wall Street Journal reported on Wednesday. The Iranian government has denied any involvement.

Because financial institutions typically have sophisticated defenses around online banking sites, the fact they are seeking help is an indication of the sophistication and intensity of the threat. Banks have already spent millions of dollars in battling the attackers.

While no customer or account data has been stolen, the cyberattacks have taken their toll on the bank's profits, as well as customer confidence, the report said. U.S. officials say they are looking at options, which could include retaliation.

Outside of reaching a diplomatic solution, options available to the government would unlikely stop the attacks quickly, experts say. Blocking the attacks or taking down the botnet behind them would be difficult because of the complexity of the infrastructure.

"Because botnets are infected hosts living all around the globe, there is no easy way to just block them," said David Hobbs, director of security solutions at Radware. "Computers and servers are compromised daily and often belong to legitimate companies worldwide."

Another option suggested by the banks included having the government work with Internet service providers to block malicious traffic coming from computers in Iran. However, Scott Hammack, chief executive of Prolexic Technologies, said that would be difficult, given that traffic in the bank attacks are coming from compromised systems in Europe, the U.S. and Asia. Some of the banks affected by the campaign are customers of Prolexic, which specializes in denial-of-service attacks.

"[Law enforcement] have been trying to do that to a certain extent ... but those infrastructures are so complicated it's difficult to pin down what's doing what," Hammack said.

Something the government could do that the banks can't is to launch a retaliatory strike. But such a move would make the situation much worse, Hammack said.

"You could try to attack Iran with some sort of offensive [cyber] weapons and take down some of their infrastructure, but then you're going to create something that's going to escalate and inflame quite a few other Arab neighbors," he said.

In general, the banks are likely to be "on their own for awhile," Hammack said. "I don't think the government is going to get involved in building something out to create a defensive measure that the banks can lean on."

[See related: U.S. bank cyberattacks reflect 'frightening' new era]

The unusually potent attacks started early last year with Bank of America, investigators told The Journal. After attacking oil and gas companies in the Persian Gulf during the summer, the attackers turned their attention once again to banks in September.

The amount of bogus traffic directed at bank websites in an attempt to overwhelm them reached as high as 60 to 70Gbps, which is many multiples higher than the typical denial-of-service attack. For example, Arbor Networks estimated that the average attack in September was 1.67 Gbps.

The sophistication of the attacks point to a state-sponsored action, researchers believe. Prolexic reported in October that a toolkit used in some of the attacks flooded the infrastructure and application layers of the bank's websites simultaneously. In addition, the traffic signatures were unusually complex and therefore difficult to reroute.

While botnets of mostly compromised PCs are used in the majority of cyberattacks, traffic sent against the banks was generated by compromised servers with 200 to 300 times more capacity than a personal computer, researchers say. Investigators told The Journal that tens of thousands of infected servers running corporate websites have been used.

The attacks have affected most of the top dozen U.S banks, which have had their sites disrupted or taken offline for short periods of time. In October, Defense Secretary Leon Panetta said the Pentagon was prepared to take action if the country was threatened by a computer-based attack.

While the U.S. is blaming Iran, the Middle Eastern country blames the U.S. and Israel for sending the Stuxnet worm that destroyed centrifuges in Iranian nuclear facilities in 2009. Quoting unidentified sources, The New York Times reported last year that Stuxnet was the work of the U.S. and Israeli governments.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.