9/11 DDoS Attacks Flop, But What's Next?
Experts Say Attacks Linked to Syria a Greater ConcernOperation USA's planned Sept. 11 distributed-denial-of-service attacks against U.S. banking institutions and governmental agencies turned out to be uneventful, with no evidence of any sites being disrupted, experts say. But every cyberthreat has to be taken seriously, they stress. And they point to the risk of other, more potent DDoS attacks from other groups, especially those with connections to Syria.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
Greg Garcia, spokesman for the Financial Services Information Sharing and Analysis Center, says this OpUSA threat, just like the first planned OpUSA strike set for May 7 by the hacktivist group Anonymous, had no impact on U.S. banking institutions (see OpUSA: A Lackluster DDoS Operation).
"We haven't had any reports of outages," Garcia said just past 3 p.m. ET on Sept. 11. "This was not a successful attack, at least not so far today."
When contacted, the Department of Homeland Security did not report any DDoS attacks against government sites related to Sept. 11.
Garcia says it's not clear if the attacks waged as part of OpUSA have been unsuccessful because of a lack of capability or organization. But Dan Holden, director of the security engineering research team for DDoS-prevention provider Arbor Networks, says it's a combination of both. In fact, attacks waged by Anonymous, and related groups such as AnonGhost, have proven increasingly ineffective, he says.
And while Holden acknowledges that all threats have to be taken seriously, he argues that Anonymous does not pose as serious a threat as Izz ad-Din al-Qassam Cyber Fighters, or QCF, the self-proclaimed hacktivist group that's been targeting U.S. banks since September 2012.
"What is worrying me is Syria, not OpUSA," Holden says. "The [hacktivist group] Syrian Electronic Army has said quite clearly that if the U.S. does anything [such as launch a military strike], they are coming after us [with cyber-attacks]. And if there is any sympathy for that, it's a great excuse for QCF to repurpose it attacks, to retool and reuse their botnet for something else. They could jump onboard there."
DDoS Prep and Mitigation
The financial industry took the OpUSA threat seriously and was well-prepared, says Garcia of FS-ISAC.
"We have been recommending that our members use the DDoS-mitigation tools and patches we have provided, and we are constantly updating our tools," he says. "The banks have responded and have implemented their DDoS mitigation strategies. They have been watching all of this closely."
Ashley Stephenson, CEO of Corero, a DDoS-mitigation provider, adds: "As far as OpUSA is concerned, the only activity we're seeing is from the preparedness side. The banks' proactive action is what we see, and that's been a good thing. ... We have to address these things efficiently, and by being proactive, no one needs to panic on the day of an attack."
The Warnings
On Aug. 5, the Federal Bureau of Investigation issued a warning about DDoS targeting U.S. websites and servers on Sept. 11. The warning noted that banking sites were expected targets. And because the previous OpUSA campaign also targeted government sites, they, too, were deemed at risk, experts say.
"The FBI is aware of a possible cyber-related threat to United States-based and foreign financial institutions on or about September 11, 2013," the FBI alert stated. "Although previous iterations of this effort have had limited, if any, impact to the targeted entities, the FBI encourages the private sector to take reasonable steps in securing cyber infrastructure in light of possible threats. As always, individuals are urged to exercise reasonable caution and vigilance when accessing these institutions' websites during the affected time period."
The FBI also noted that OpUSA and Operation Israel, which targeted Israeli banking institutions and other critical infrastructure organizations in May, are likely connected, and that sites in both countries were at risk of attack on Sept. 11.
"OpUSA was officially announced and organized by Mauritania Attacker, who launched OpIsrael and is the founder of Mauritania Hacker Team, and AnonGhost Team," the FBI stated. "Open-source reporting declared the April 2013 OpIsrael [threat] to be a failure, with minimal impact for online operations."
The FS-ISAC on Aug. 5 issued a separate warning to its member institutions, noting banking institutions that were likely to be targeted in the attacks. The list of potential attack targets includes the same 133 U.S. banking institutions named in the April 24 Anonymous post that appeared on Pastebin during the first OpUSA campaign.
The concern now for banking institutions and other organizations should not be OpUSA, but what Izz ad-Din al-Qassam Cyber Fighters might do next, Arbor Networks' Holden says.
It's been almost a year since the group began waging attacks against U.S. banks, he notes. "If they're going to keep going, why not pick and hit a different victim, like government?"