A"Special"Report"Outlining"The"Deliberate"Targeting"of"U.S"Financial"Institutions""

1

Executive Summary On June 3rd and 4th open DNS providers were attacked during part of the attack on U.S. Financial institutions. Prolexic, a company that specializes in mitigating DNS attacks, has announced that the attacks peaked at a bandwidth of 167 Gbps during a DNS Reflection Attack. This attack marks a new phase in co-ordination and major increase in demonstrated capability. These attacks are becoming a major threat to the financial structure of the United States, and more generally western financial institutions. This Focus Report: reviews the most recent attacks, the impact of these attacks, and provides analysis, and assessment of the attackers.

2

June Attacks On Monday June 3th DNSimple, easyDNS and TPP Wholesale all reported temporary DNS service outages and degradation on Monday, citing DDoS attacks as the reason. Two of the companies had been attacked on June 2nd but ASSESSED that attack as a 'test run' which would probably turn into an attack on their clients. Apparently the DNS companies were not ready for a sustained attack on their service. Prolexic stated that the attack bandwidth usage peaked at 167 Gbps on June 3rd during an attack on easyDNS. The financial institutions on the receiving end of these attacks have not been identified. The DNS providers attacked were:

! DNSimple is based in Florida, U.S.A. ! easyDNS is based in Toronto, Canada ! TPP Wholesale is an Australian company

Focus&Report&Cyber&Attacks&on&U.S&Financial&Institutions&

"Focus Report Attacks on U.S. Financial Institutions ! 2!

The"attackers"have"been"identified"as"Izz"ad@Din"al@Qassam"Cyber"Fighters"and"they"have"had"some"successes."

1

Reflected DDoS Attacks In DDoS attacks, thousands of computers all try to contact a target website at the same time, overwhelming it with meaningless connections until it is rendered inaccessible. In a reflected Denial of Service attack ( reflected DDoS attack ) the attack comes from many compromised computers which send false addresses ( spoofed IP ) to the Domain Name Server ( DNS ) for a financial institution. The result is thousands of compromised computers, each sending thousands of information requests to the domain name server and onward to the financial institution. The end state is a 'traffic jam' of thousands of information requests at the financial institution. Customers cannot access the DNS service and / or the financial institution because there is a 'lineup' of information requests in front of them. These attacks exploit weaknesses in the DNS protocol. The attackers have been identified as Izz ad-Din al-Qassam Cyber Fighters and they have had some successes. The attackers DDoS attacks have managed to block Internet access to major institutions for hours1. It has been noted by computer security companies and the F.B.I. that the reflected DDoS attacks probably mask other attacks on the financial institutions that are operating separately2. The F.B.I. has reported that the hacktivist group conducts reconnaissance prior to attacks. Reconnaissance takes two forms: relatively light DDoS probes of the financial institution web site, and attempts to penetrate the company network. The penetration attacks include 'Spear Phishing' attacks. If the web server(s) at the financial institution show any sign of weakness a reflected DDoS attack is mounted days later3. The F.B.I. ASSESS that target financial organizations are PROBABLY penetrated (via the spear phishing attacks ) prior to DDoS attacks being mounted. It is not known if 'other attacks' (besides the DDoS attacks) have been successful. Background The the Izz ad-Din al-Qassam Cyber Fighters are named after an anti-zionist Muslim preacher who was active in the 1930's. Originally the group claimed affiliation with the “Occupy” movement and later the hacktivist group ANONMYOUS. The more probable reality is that these were efforts to mask their intention

2

to attack U.S. Financial institutions, and possibly to gain access to more hacker tools. According to the U.S. Congress Intelligence Committee, the group is Iranian based. The Intelligence Committee has not posted any evidence support this claim. Command and Control has been traced to Iranian IP addresses4. The lack of other activities conducted by the group and the length of time of their operation infers that at the least, the Cyber Fighters are a sponsored group. Access to the Internet, computers, and accompanying expertise, in a country where these things are controlled, infers a significant level of official endorsement and or support. The group has evolved and developed capability over the past year. Botnets have been developed and added to the brobot network. These botnets are the source of the information requests directed at the DNS systems and the financial institutions. Early attacks were described as simplistic and lasted minutes. Early 'Brute Force' tactics have evolved. In April the F.B.I. noted that the attacks had become much more sophisticated: scripts running the attack were capable of handling more computers, generating more hits and consuming much more bandwidth. The modified scripts also enhanced the brobots ability to evade detection. The F.B.I. estimated that only 1/3 of the attack capability was being used. Method of Operation: Currently the group conducts a reconnaissance attack on the DNS servers for a financial institution and the institution itself, prior to the primary attack. Part of this effort can include a spear phishing campaign against the financial institutions network. The objective of the spear phishing attack is to gain passwords and then network access. If a financial institution web server shows slowed performance or some other issue(s). During the reconnaissance probe, if a financial institutions web server shows slowed performance or some other issue(s), the reconnaissance probe will be stopped. The brobot network will be calibrated and days later a full scale DDoS attack will be mounted. Attacks tend to be mounted during peak business hours when there is already a load on the servers. In the most recent attacks, the DNS service providers were targeted by the Reflected DDoS attacks.

"Focus Report Attacks on U.S. Financial Institutions ! 3!

According"to"the"U.S."Congress"Intelligence"Committee,"the"group"is"Iranian"based.""

1

A large volume of DNS requests is directed at the web servers of financial institutions. Potentially servers can be slowed down and or crashed. One effect of this is potentially corrupted or compromised data. Impact E-commerce firms have been and will continue to be the hardest hit. When they are off-line or even slowed down they can't earn revenue. When a major financial institution such as Charles Schwab is forced off-line for several hours, the damage is less tangible. Given that the attacks have been running over a year, and many major American institutions have been hit, it is ASSESSED that there is a progressive loss of confidence in the American banking system by its clients5. The F.B.I. continues to report that the attacks are getting worse. Access is reduced at times. The possibility of banks being hacked becomes more established in the minds of their client base. Given enough time and even limited success, the integrity of the banking system will be mistrusted by an increasing percentage of the American public. The ongoing effect is progressively destabilizing the American financial system. This is economic warfare at a fundamental and psychological level. Analysis The growth of the brobot botnets6, the development of the attack scripts and the refinement of attack methodology does not happen without a development team. This is almost certainly not a casual or part-time effort, but a consistent long-term effort to improve the overall malware systems. This in turn demonstrates that the group of people doing the work has long term support. Long term support is not merely food and shelter. It includes the Internet access and technical support necessary to conduct both development and operations. The targeting done by the Izz ad-Din al-Qassam Cyber Fighters is instructive. They have not targeted bank accounts or transactions like other groups or malware. They have targeted and announced they are targeting the top banks operating in the United States. The fact they have not targeted bank accounts or transactions suggests that their motive is not money. If the group is not providing their own resources, then their support

2

must be provided externally. The lack of peer engagement, no targeting of social media, universities, or other sites, suggests a select group, operating under direction. It should also be noted that the attacks are not limited to American institutions. The Toronto-Dominion bank has had one of its American subsidiaries attacked. Other Canadian financial subsidiaries have been attacked as well. We can extrapolate that any major financial institution operating in the United States, may be subject to attack by the Izz ad-Din al-Qassam Cyber Fighters. The United States has demanded an economic embargo on Iran, both with its allies and in the United Nations. The targeting of the United States financial system – and only the American financial system - is highly suggestive that the government of Iran and / or the Iranian Religious leadership. Other countries might appreciate disruption of the American economy, but very few countries would desire its wholesale destruction. There is more money to be made (or stolen) if the American economy is operating than if the American financial system collapsed. The attack on the financial backbone of the American economy would be 'payback' or 'justice' from the viewpoint of the Iranian government and clerics. There are many examples of Iranian rhetoric vowing overthrow or destruction of the United States. The recent attacks indicate significant increases in technical capability. The multiple concurrent attacks on DNS providers is new. Although DNS providers have been components of DDoS attack, they were not the primary targets. The other major development is the increase in attack bandwidth from 40 Gbps to 167 Gbps. Although the F.B.I. assessment was that the attackers were using 1/3 of their capability, there is often a difference between theory and practice. This is a huge increase in demonstrated capability7.

1 Most Recently Charles Schwab was knocked off-line for 2 1/2 hours.

2 From an F.B.I. Assessment released 30 April 2013

3 The delay is probably to allow time to co-ordinate the attack and to issue instructions to the brobot botnet.

4 Source: Various computer security companies.

"Focus Report Attacks on U.S. Financial Institutions ! 4!

The"targeting"done"by"the"Izz"ad@Din"al@Qassam"Cyber"Fighters"is"instructive""

1

As significant as these developments are, there was no announcement or claim from the Izz ad-Din al-Qassam Cyber Fighters. This suggests they did not accomplish their intended objective. Over the past year the group has consistently improved their software as well as their TTP, learning from each attack. They will almost certainly use this as another learning experience - and try again. Assessment Between its own claims, and the command and control links, there is little doubt that the Izz ad-Din al-Qassam Cyber Fighters are an Iranian based hacker group. Due to: the lack of religious messaging, the lack of military or government messaging, the lack of peer messaging this group is ASSESSED as senior or post-university level computer programmers (hackers). The group is MOST PROBABLY similar to patriotic contractors, highly loyal to the government (and / or senior religious leadership) and contracted for this speciality task. The lack of messaging could also be due to supervision, designed to keep the group focused on the task in hand. Noting their Internet access in a country where Internet access is controlled and monitored, the group could not operate without government sanction. Given the nature of who and what they target, (namely the American Financial system), the lack of immediate financial rewards, and the lack of peer activity, it is ASSESSED that the group is sanctioned by the Iranian government and / or senior clergy. The nature of the target, the progressive development of the brobot botnets, the progressive development of the attack scripts and methodology are ASSESSED as evidence of an objective and the long term planning and development to achieve it. The MOST LIKELY objective is major disruption / major damage to the American financial system. The groups messaging does specifically target the top 50 U.S. Financial institutions. The nature of the objective and effort required to accomplish it implies there is long term political, government and logistical support for the group to achieve this objective. One F.B.I. ASSESSMENT did speculate that the DDoS attacks may also be a cover for other attacks. Spear phishing attacks have been detected. It is ASSESSED

2

that IF Izz ad-Din al-Qassam Cyber Fighters have used Spear Phishing to penetrate American Financial Institutions it is HIGHLY LIKELY that they have some successes. By success we mean the group has penetrated network security and has administrative access to more than one American Financial Institution. This ASSSESSMENT is based on the overall success of Spear Phishing, the size and breadth of the industry (not everyone appreciates the need for security) and that across the banking industry, all e-mails are not automatically scanned for external links. The American banking industry has begun to examine the impact of these attacks on its “brands”. It is ASSESSED that the impact of the attacks is not a marketing issue but rather a psychological warfare issue. We have all heard the phrase: “where there is smoke there is fire ...”. The attacks on the American financial system have been underway for more than a year. The attackers have blocked access to a number of companies, at least temporarily. The attacks are increasing in capability. The U.S. Media is covering these attacks, which adds to their impact. The F.B.I. briefed bank security officers in May, an item that was published in the American media. The aggregate impact of the attacks over time is a progressive loss of confidence in the American financial system. It is ASSESSED that given success against a major American institution, there will be a loss of confidence in the system as well as the breached institution.

5 Some American media commentators have asked: “do we have to be concerned ( about the attacks )?” Even if a spokesman for the institution or a government spokesman say there is no cause for concern, the issue of the integrity of the U.S. Financial system has been raised.

6 brobot botnets are networks of compromised computers ( mostly home computers ) that are used to send false information requests to DNS providers and financial institutions.

7 easyDNS was forced off-line for more than two hours. The company President admitted that they misread the initial ( reconnaissance ) attack

"Focus Report Attacks on U.S. Financial Institutions ! 5!

One"F.B.I."ASSESSMENT"did"speculate"that"the"DDoS"attacks"may"also"be"a"cover"for"other"attacks"has"not"posted"any"evidence"

Since the Izz ad-Din al-Qassam Cyber Fighters objective has not been accomplished, it is ASSESSED that their cycle of development, target selection, reconnaissance and attack is already occurring, and will continue to occur. It is ASSESSED as LIKELY that the group will access the network of more than one major American financial institution. It is ASSESSED that over time, the ongoing attacks, and increasing capability will cause a progressive loss of trust in the American Financial systems – even if there are no known successful attacks. This campaign has the potential to achieve the groups apparent objectives (even without successful attacks). It is ASSESSED that from an Iranian perspective that is reason enough to continue the attacks. Given the technical issues associated with the June 3rd and 4th attacks, it is ASSESSED that the minimum than can be expected from the next attack will be:

! Better co-ordination of the attacks on DNS providers;

! Higher bandwidth Reflective DDoS attacks; and

! Concurrent efforts to penetrate financial institutions networks.

Summary It is ASSESSED that the Izz ad-Din al-Qassam Cyber Fighters, operating with at least implicit support from the Iranian government are embarked on a long-term campaign to cause a major failure in the American financial industry. The group itself is most probably a group of university seniors to post university computer programmers organized into a collective. The collective is probably supervised (by the Iranian government and / or Iranian clergy) and focused on its objective. It is possible that the campaign against American financial institutions will cause a loss of confidence in the American financial system – even without a 'major success'. Stated another way: given that the Izz ad-Din al-Qassam Cyber Fighters must have some form of government support in order to operate, this campaign can be viewed as a nation vs. nation, cyber-warfare based economic warfare and physiological warfare campaign.

It"is"possible"that"the"campaign"against"American"financial"institutions"will"cause"a"loss"of"confidence"in"the"American"financial"

system"

AeAen

"Focus Report Attacks on U.S. Financial Institutions ! 6!

1

C/DIG Focus Reports provide detailed Intelligence examination and review of specific computer security and / or cyber-warfare incidents, events and analysis. The focus is international and transnational cyber-security events, specifically national security, critical infrastructure, defence and related events, caused by nations and/or effecting transnational relationships.

2

For a dedicated briefing by the CSCSS Defense Intelligence Group on the issues and challenges regarding National entities and cyber-warfare please contact us. Contact Information For more information on the Defence Intelligence Group or to find out how we can help you please contact us.

! Washington D.C + 571.451.0312 ! London, United Kingdom +44 2035141784 ! North America +877.436.6746 ! Middle East +800.653.407 ! Australia +61 2 8003 7553

Email: defintel@cscss.org www.cscss.org/defence_intelligence.php

CSCSS / Defence Intelligence Group through its CSCSS subsidiaries is aligned with civilian and nation computer security & intelligence agencies. C/DIG provides defence intelligence support to mission-essential requirements at every stage of programming, product and business lifecycle. We deliver mission and technical expertise, delivery of intelligence products, and a commitment to client objectives and results at the strategic, operational and tactical levels. The Defence Intelligence Group works in real-time to report, analyze, and forecast cyber-warfare incidents, events and trends. We provide credible, reliable, sustained intelligence services, defence intelligence expertise; skills, contingency planning, and solutions that help clients address and achieve their missions, goals and objectives securely.

The Centre for Strategic Cyberspace + Security Science is a multilateral, international, not-for-profit organization that conducts independent cyber-research, defence intelligence, cyber security and science while addressing the threats, trends and opportunities shaping international security policies and national cyberspace security initiatives. CSCSS, as a strategic leader in cyberspace, works jointly with key partners to address, develop and define cyber capabilities, cyber defence force capabilities, information dominance, and current operations. We deliver practical recommendations and innovative solutions and strategies to advance a secure cyberspace domain.

© 2013 Defence Intelligence Group Center for Strategic Cyberspace & Security Science / CSCSS"

WWW.CSCSS.ORG

"