DDoS Attacks: More to Come?Jan. 28 Attacks Raise Questions About Alleged Attackers, Motives
While numerous organizations that track cyber-attack activity have confirmed distributed-denial-of-service attacks were waged Jan. 28 against two leading U.S. banks, they're fuzzy about the nature of the hacktivist group claiming credit - and whether the group, in fact, is responsible for the incidents. They also are not sure whether to expect more attacks from the group (see DDoS: New Attacks Against Banks).
See Also: Dynamic Detection for Dynamic Threats
The European Cyber Army has taken credit for DDoS attacks waged Jan. 28 against Bank of America and JPMorgan Chase. Neither bank has responded to Information Security Media Group's request for comment on those alleged attacks.
But DDoS-tracking experts, the majority of whom asked to remain anonymous, say both banks were hit Jan. 28 by high-volume DDoS attacks that have been linked to Brobot, the botnet built by Izz ad-Din al-Qassam Cyber Fighters, the self-proclaimed hacktivist group that targeted U.S. banking institutions from the fall of 2012 to the summer of 2013 (see DDoS: Prepare for the Next Wave).
No new attacks have been detected or reported since Jan. 28, and that has left DDoS experts puzzled. None can say what will come next because the motivations behind these attacks remain unclear.
The European Cyber Army seems to more closely resemble Anonymous, an undefined group of hacktivists who have no obvious connection to each other, rather than al-Qassam, which is apparently a more tightly- knit group with a specific political agenda, says Gary Warner, a cyber-attack researcher at the University of Alabama at Birmingham and chief technologist of cyber-intelligence firm Malcovery.
"The folks calling themselves the European Electronic Army are taking credit for attacks they did not do," Warner contends. "They have posted lists of e-mail addresses they say they got from a database breach, which I highly doubt."
Warner says the database infrastructure used to house that type of e-mail information would not have been penetrable with the type of attack claimed."They probably got those e-mail addresses from a public listing," he says.
Since Jan. 24, ECA, which uses the Twitter handle @ECA_Legion, has taken credit for alleged attacks against uscourts.gov, a court records site, and pacer.gov, the Public Access to Court Electronic Records site, which is used by attorneys and journalists to access court records online.
In a tweet posted Jan. 24, ECA writes: "Government of #USA! We have taken the liberty of #Nuking your website http://USCourts.gov ! We are the #ECA#EuropeanCyberArmy."
But according to a statement provided Jan. 24 by the Federal Bureau of Investigation to the Wall Street Journal, those online outages resulted from "technical problems," not DDoS attacks.
The group also has taken credit for alleged strikes against NSA.gov, the website of the National Security Agency, and threatened to attack the website of the Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center.
"Some of these groups, such as the European Cyber Army, seem to just have invented themselves this week," Warner says. "We do have information that the same botnet tools that were behind the attacks against leading banks [last year] were used here again against leading banks this week. But we don't know who's using the botnet."
The attacks waged Jan. 28 don't look like anything the ECA has waged in the past, says another DDoS expert, who asked not to be named.
"In some ways, it doesn't matter if they really caused the outage as long as people think ECA caused the outage," the expert says. "BofA and Chase, however, were [hit by] a botnet DDoS. This we know. We don't know if ECA was running the attack."
Other experts question why ECA has not named its targets prior to its attacks, as was customary during the 2012-2013 DDoS strikes against U.S. banks. Izz ad-Din al-Qassam Cyber Fighters garnered political and public attention by naming its targets on the open online forum Pastebin before striking, thus eliminating any uncertainty about whether the group, in fact, was the perpetrator.
ECA's failure to name targets in advance even raised questions among the group's Twitter followers.On Jan. 28, in response to claims about the bank attacks, one ECA follower writes: "@ECA_Legion fine, next time you do it, tweet about it first, so you don't just look like a ... clown trolling for user complaints."