Cyber attacks on the biggest U.S. banks, including JPMorgan Chase & Co. (JPM) and Wells Fargo (WFC) & Co., have breached some of the nation’s most advanced computer defenses and exposed the vulnerability of its infrastructure, said cybersecurity specialists tracking the assaults.
The attack, which a U.S. official yesterday said was waged by a still-unidentified group outside the country, flooded bank websites with traffic, rendering them unavailable to consumers and disrupting transactions for hours at a time.
Such a sustained network attack ranks among the worst-case scenarios envisioned by the National Security Agency, according to the U.S. official, who asked not to be identified because he isn’t authorized to speak publicly. The extent of the damage may not be known for weeks or months, said the official, who has access to classified information.
“The nature of this attack is sophisticated enough or large enough that even the largest of the financial institutions would find it difficult to defend against,” Rodney Joffe, senior vice president at Sterling, Virginia-based security firm Neustar Inc. (NSR), said in a phone interview.
While the group is using a method known as distributed denial-of-service, or DDoS, to overwhelm financial-industry websites with traffic from hijacked computers, the attacks have taken control of commercial servers that have much more power, according to the specialists.
“The notable thing is the volume and the scale of the traffic that’s been directed at these sites, and that’s very rare,” Dmitri Alperovitch, co-founder and chief technology officer of Palo Alto, California-based security firm CrowdStrike Inc., said in a phone interview.
The assault, which escalated this week, was the subject of closed-door White House meetings in the past few days, according to a private-security specialist who asked not to be identified because he’s helping to trace the attacks.
President Barack Obama’s administration is circulating a draft executive order that would create a program to shield vital computer networks from cyber attacks, two former U.S. officials with knowledge of the effort said earlier this month.
The U.S. Senate last month failed to advance comprehensive cybersecurity legislation and the administration is contemplating using the executive order because it’s not certain that Congress can pass a cybersecurity bill, the officials said.
The group started almost two weeks ago with test attacks that triggered multiple alerts. The assault on financial firms began last week, starting with JPMorgan, Citigroup Inc. (C) and Charlotte, North Carolina-based Bank of America Corp. (BAC), moving successively this week to Wells Fargo, U.S. Bancorp (USB) and yesterday, PNC Financial Services Group Inc. (PNC)
The industry’s Financial Services Information Sharing and Analysis Center posted a warning on its website dated Sept. 19 that cited “recent credible intelligence regarding” potential cyber attacks.
U.S. Bancorp is working with federal law enforcement officials after the attacks caused delays for customers, Nicole Garrison-Sprenger, a spokeswoman for the Minneapolis-based company, said in an e-mailed statement. Customer data and funds are secure, she said.
PNC was experiencing a high volume of Internet traffic, causing disruptions for some clients, Fred Solomon, a spokesman for the Pittsburgh-based bank, said in an e-mailed statement.
Bridget Braxton at San Francisco-based Wells Fargo, Bank of America’s Mark Pipitone, Andrew Bernt of New York-based Citigroup and Kristin Lemkau at JPMorgan declined to comment.
A group calling itself Izz ad-Din al-Quassam Cyber Fighters claimed responsibility for the assault in a statement posted to the website pastebin.com, saying it was in response to a video uploaded to Google Inc.’s YouTube, depicting the Prophet Muhammad in ways that offended some Muslims.
The initial planning for the assault pre-dated the video controversy, making it less likely that it inspired the attacks, according to Alperovitch and Joffe, both of whom have been tracking the incidents. A significant amount of planning and preparation went into the attacks, they said.
“The ground work was done to infect systems and produce an infrastructure capable of launching an attack when it was needed,” Joffe said.
Jenny Shearer, a spokeswoman for the Federal Bureau of Investigation, and Peter Boogaard at the U.S. Department of Homeland Security, declined to comment.
Businessweek: By Chris Strohm and Eric Engleman