Over the past several months I have frequently been asked about my thoughts on the slate of DDoS attacks directed against the financial industry, and one question comes up time and time again: “Is the worst yet to come?” To be honest, I don’t know for certain, but it got me thinking about what the “worst” case scenario could be, which inspired the following.
Since September of last year, Izz ad-Din al-Qassam has engaged in cyberwarfare against U.S. financial institutions, and it is a war with which they have had a great deal of apparent success if we believe that their goal was to inconvenience U.S. bank customers by rendering online banking portals inaccessible for a number of hours at a time. Institutions are typically given notice on Pastebin before an attack is to occur, and cooperation through groups such as FS-ISAC have increased awareness of malicious traffic sources and mitigation techniques that have provided a degree of relief. Nonetheless, the attacks have continued with each successive wave proving to be more potent than the last. As a result, major U.S. banks have reported downtimes that are double of what they experienced last year. The key here is that while more than twenty institutions have been targeted, six major banks have received more attention than the rest. It appears that Izz ad-Din al-Qassam may be targeting a variety of institutions to both sharpen their skills and to mislead us as to their intentions. The media has maintained almost constant coverage of the attacks, as the financial industry and government officials struggle to identify who is truly responsible and what they aim to achieve.
Enemies that would never allow a free press for fear of the effects that an open discourse could have on their regimes may be depending on the influence of the media in the U.S. to negatively affect the perception of consumers about the stability of a particular financial institution. It starts by focusing their efforts on the institution with the weakest response to the previous attacks, among the major six targeted banks. A spearfishing campaign is undertaken to deliver malware with the hope of disabling internal bank systems and ATM host processing servers, similar to what South Korean banks experienced last month. At that point, the full capability of Brobot is brought to bear against that one bank, without any forewarning. Customers will be unable to access their funds through a number of channels, at which point the group will take responsibility and insinuate that customer accounts were at risk. Media coverage of the event would be inescapable, and the victim bank would see a run on deposits and a significant drop in share price as investors fear the worst. The media would identify other previous targets of Izz ad-Din al-Qassam, fueling speculation and panic, setting in motion a chain of events whereby U.S. banks are now dealing with a degree of fear not seen in more than 80 years.
The failure of Lehman Brothers nearly drove the United States into another Great Depression, which is often cited as the government’s impetus for propping up the financial sector in 2008 after the mortgage market collapse. The aforementioned scenario would necessitate another series of unpopular injections of capital into U.S. financial institutions by the Federal government, followed by what would likely be another recession. More than information sharing on best practices is needed – financial institutions should pool resources to ensure the availability of excess network capacity, and network operators must be involved in the effort to identify infected servers and to subsequently stop the malicious traffic its source. And while intelligence support is a good start, the Federal government must identify those responsible and cripple their ability to continue this campaign. The worst case scenario is unlikely, but any degree of plausibility should be wholly unacceptable to anyone with a vested interest in the stability of the U.S. financial system.