Hackers change tack, now seek to destroy

American Express customers trying to gain access to their online accounts recently were met with blank screens or an ominous ancient type face. The company confirmed that its website had come under attack.

The assault, which took American Express offline for two hours, was the latest in an intensifying campaign of unusually powerful attacks on American financial institutions that began last September and have taken dozens of them offline intermittently, costing millions of dollars.

JPMorgan Chase was taken offline by a similar attack this month. And recently, a separate, aggressive attack incapacitated 32,000 computers at South Korea’s banks and television networks.

The culprits of these attacks, officials and experts say, appear intent on disabling financial transactions and operations. Corporate leaders have long feared online attacks aimed at financial fraud or economic espionage, but now a new threat has taken hold: attackers, possibly with state backing, who seem bent on destruction.

“The attacks have changed from espionage to destruction,” said Alan Paller, director of research at the SANS Institute, a cyber-security training organisation. “Nations are actively testing how far they can go before we will respond.”

Security experts who studied the attacks said that it was part of the same campaign that took down the websites of JPMorgan Chase, Wells Fargo, Bank of America and others over the last six months. A group that calls itself the Izz ad-Din al-Qassam Cyber Fighters has claimed responsibility for those attacks.

The group says it is retaliating for an anti-Islamic video posted on YouTube last fall. But American intelligence officials and industry investigators say they believe the group is a convenient cover for Iran. North Korea is considered the most likely source of the attacks on South Korea, though investigators are struggling to follow the digital trail, a process that could take months.

The largest contingent of instigators of attacks in the private sector, government officials and researchers say, remains Chinese hackers intent on stealing corporate secrets.

The American and South Korean attacks underscore a growing fear that the two countries most worrisome to banks, oil producers and governments may be Iran and North Korea, not because of their skill but because of their brazenness. Neither country is considered a superstar in this area. The appeal of digital weapons is similar to that of nuclear capability: it is a way for an outgunned, outfinanced nation to even the playing field.

“These countries are pursuing cyber-weapons the same way they are pursuing nuclear weapons,” said James A. Lewis, a computer security expert at the Center for Strategic and International Studies in Washington. “It’s primitive; it’s not top of the line, but it’s good enough and they are committed to getting it.”

American officials are currently weighing their response options, but the issues involved are complex. At a meeting of banking executives, regulators and representatives from the departments of Homeland Security and Treasury last December, some pressed the United States to hit back at the hackers, while others argued that doing so would only lead to more aggressive attacks, according to two people who attended the meeting.

Neither Iran nor North Korea has shown anywhere near the subtlety and technique in online offensive skills that the United States and Israel demonstrated with Olympic Games, the ostensible effort to disable Iran’s nuclear enrichment plants with an online weapon that destabilised hundreds of centrifuges, destroying many of them. But after descriptions of that operation became public in the summer of 2010, Iran announced the creation of its own Cyber Corps.

North Korea has had hackers for years, some of whom are believed to be operating from, or through, China. Neither North Korea nor Iran is as focused on stealing data as they are determined to destroy it, experts contend.

When hackers believed by American intelligence officials to be Iranians hit the world’s largest oil producer, Saudi Aramco, last year, they did not just erase data on 30,000 Aramco computers; they replaced the data with an image of a burning American flag. In the assault on South Korea last week, some affected computers displayed an ominous image of skulls.

“This attack is as much a cyber-rampage as it is a cyber-attack,” Rob Rachwald, a research director at FireEye, a computer security firm, said of the South Korea attacks.
In the past, such assaults typically occurred through a denial-of-service attack, in which hackers flood their target with web traffic from networks of infected computers until it is overwhelmed and shuts down. One such case was a 2007 Russian attack on Estonia that affected its banks, the Parliament, ministries, newspapers and broadcasters.

With their campaign against American financial institutions, the hackers suspected of being Iranian have taken that kind of attack to the next level. Instead of using individual personal computers to fire web traffic at each bank, they infected powerful, commercial data centers with sophisticated malware and directed them to simultaneously fire at each bank, giving them the horsepower to inflict a huge attack.

As a result, the hackers were able to take down the consumer banking sites of American Express, JPMorgan Chase, Bank of America, Wells Fargo and other banks with exponentially more traffic than hit Estonia in 2007.

In the attack on Saudi Aramco last year, the culprits did not mount that type of assault. Instead, they created malware designed for the greatest impact, coded to spread to as many computers as possible.

Likewise, the attacks last week on South Korean banks and broadcasters were far more sophisticated than coordinated denial-of-service attacks in 2009 that briefly took down the websites of South Korea’s president and its Defense Ministry. Such attacks were annoyances; they largely did not affect operations.

This time around in South Korea, however, the attackers engineered malware that could evade popular South Korean antivirus products, spread it to as many computer systems as possible, and inserted a “time bomb” to take out all the systems at once for greatest impact.

The biggest concern, Lewis said: “We don’t know how they make decisions. When you add erratic decision making, then you really have something to worry about.”