Published September 20, 2012
Anger over a film trailer mocking a sanctified Muslim religious figure has sparked violent protests across the Middle East that have taken the lives of dozens of people. Now, the strife is manifesting itself in the form of cyber war waged against America at home.
Over the course of this week, three major U.S. financial institutions have seen their web infrastructure targeted in technical attacks. On at least two occasions, groups or individuals claiming to be aligned with Muslims said the attacks were a reprisal for the ‘Innocence of Muslims’ trailer that ridiculed the Prophet Mohammad.
On Tuesday, Bank of America’s (BAC) website was inaccessible to some users over the course of several hours, according to multiple security experts and customer postings on social media platforms. A source told FOX Business the outage was the result of a technical attack levied against the second-biggest U.S. bank by asset’s domain name architecture.
A group calling itself the “cyber fighters of Izz ad-din Al qassam” took responsibility for the attack on a website called PasteBin, which is regularly used by cybercriminals to brag about exploits. The message said the movie was sacrilegious to all religions, not only Islam. It called on Muslims worldwide to do “whatever is necessary to stop spreading this movie.”
It went on to say the group will attack Bank of America and the New York Stock Exchange, institutions it referred to as “properties of American-Zionist Capitalists.”
Izz ad-din Al qassam is a reference to “a Syrian preacher of the same name who led efforts against Western powers in the 1920’s and 1930’s,” according to security firm Flashpoint Partners. It is also the name of an armed wing of Hamas, a terrorist group with roots in Palestine.
A file available for download on a website purportedly aligned with the attacker accessed by FOX Business claimed to enable individuals to participate in the cyber assault with basically a single click. An analyst at Flashpoint who reviewed the file said it was unlikely individual actors were able to use the computer program to materially affect the banking giant’s website.
Instead, the analyst believes “a large botnet” was used to generate the so-called Distributed Denial of Service (DDoS) attack – a tactic favored by hacking group Anonymous. Generally, botnets function by controlling a large number of computers that have been compromised without the knowledge of the machine's owner.
In what could be an important wrinkle, the Flashpoint analyst said the purpose of the download was probably to “generate a sense of purpose within the community.”
It was not possible to confirm whether the group was in fact responsible for the attack.
Chase.com, Chase’s consumer website, suffered intermittent outages throughout the day Wednesday into Thursday morning. A message on PasteBin from the same group claiming to carry out the BofA attack also took responsibility for the one on Chase. The message warned that the "series of attacks will continue" until the movie is erased. Using similar language, it also said "down with modern infidels."
A source told FOX Business Chase was still investigating what caused the large spike in traffic. The person said that the bank believes no customer data was compromised and that the firewall was never breached.
The analyst at Flashpoint said the outage was also likely due to a DDoS attack by a large botnet.
A Twitter account called @SaudiAnonymous1 called on followers to “FIRE” at NYSE’s website, NYSE.com, linking out to what Flashpoint believes is a webhive DDoS tool. This tool is different from the botnet method used in the other attacks. It is unclear as to whether the owner of the Twitter account was actually linked to the attack.
The attack was mostly unsuccessful; although a person familiar with the matter told FOX Business a small number of users in the U.S. had trouble accessing NYSE.com in a situation that lasted about an hour. The person said the problem was not widespread and did not impact any of the exchange operator's trading systems.
The Twitter messages used hashtags referring to countries in the Middle East and North Africa including: Algeria, Egypt, Tunisia, Morocco and the United Arab Emirates. Other messages on the same account called on hashtags referencing a slew of controversial groups including Occupy Wall Street and Anonymous.
The apparently sudden jump in the pace of attacks represents “the cyber aspect to the political situation in the Middle East,” the analyst at Flashpoint said. He called into example the Arab Spring, a revolutionary movement that began in December 2010.
“Activists saw the effectiveness of the Internet when they used it to communicate with each other and outside media during the protests,” he said. Indeed, social networking platforms, such as Twitter, have proven to be powerful tools in the revolutions in the Middle East and North Africa.
Rebels also saw non-state actors, such as Anonymous, wage attacks during the course of rebellions. This was particularly noticeable in Tunisia and Egypt where Anonymous hackers hit government websites with DDoS attacks, according to several published reports at the time.
“There are people who see themselves as both Arab Spring activists, and Anonymous members,” the Flashpoint analyst said. “It isn’t surprising that other Anonymous tactics, like the use of DDoS tools and Botnets, have made their way into the life of an Arab protestor.”
As evidence of this trend, imagery used by Anonymous has also turned up in sometimes violent protests across the Middle East in recent weeks that have taken the lives of dozens of individuals, including the U.S. ambassador to Libya. In particular, the Flashpoint analyst points to individuals wearing the “Guy Fawkes” masks that have grown synonymous with Anonymous.
“I expect that these events are really only the start of growing trend to use the internet in conjunction with boots-on-the-ground protests worldwide,” the Flashpoint analyst said.
In fact, the Financial Services - Information Sharing and Analysis Center, which collaborates on security threats against the financial services industry, on Wednesday raised its cyber threat level to “high” from “elevated.” FS-ISAC cited “credible intelligence regarding the potential for DDoS and other cyber attacks against financial institutions,” as the reason for the move. FS-ISAC did not return requests for comment on the nature of the intelligence.
As the pace of attacks on American corporations has increased in recent years, analysts and the federal government have rung alarm bells that many networks remain vulnerable.
Deputy Defense Secretary Ashton Carter was quoted by Reuters as saying in a speech Wednesday that private networks across the U.S. remain vulnerable and that the speed at which companies are securing them is inadequate.
"I hope this isn't one of those situations where we won't do what we need to do until we get slammed," he said.
Jen Booton and Matt Egan contributed to this report.