Security Operations

Anonymous Threatens Bank DDoS Disruptions

Follows Collective's 'Total War' Against Donald Trump
Anonymous Threatens Bank DDoS Disruptions
Still from an Anonymous video announcing Operation Icarus. (Source: YouTube.)

After earlier this year declaring "total war" against U.S. Republican presidential candidate Donald Trump, the hacktivist group Anonymous is now threatening global banks with 30 days of distributed denial-of-service attack disruptions.

See Also: The Gorilla Guide to Modern Data Protection

As a preview, on May 2, the group claimed to have disrupted the website of Greece's central bank. "Olympus will fall. A few days ago we declared the revival of Operation Icarus. Today we have continuously taken down the website of the Bank of Greece," the group said in the video posted on You Tube and delivered in the classic Anonymous style via a disembodied, computerized voice.

"This marks the start of a 30-day campaign against central bank sites across the world," it adds. "Global banking cartel, you've probably expected us."

Of course, banks have previously been targeted en masse by DDoS attackers. Beginning in 2012, for example, attacks waged by a group calling itself the "Izz ad-Din al-Qassam Cyber Fighters" continued to disrupt U.S. banks' websites as part of what it called "Operation Ababil." In March, the Justice Department unsealed indictments against seven Iranians - allegedly working on behalf of the Iranian government - accusing them of having waged those attacks. Regardless of who was involved, it's unclear if Anonymous could bring similar DDoS capabilities to bear for its Operation Icarus.

A Central Bank of Greece official, who declined to be named, confirmed the May 2 DDoS disruption to Reuters, though said the effect was minimal. "The attack lasted for a few minutes and was successfully tackled by the bank's security systems. The only thing that was affected by the denial-of-service attack was our website," the official said. Greek banks have been previously targeted by DDoS extortionists, demanding bitcoins (see Greek Banks Face DDoS Shakedown).

"It would have been better if no disruption occurred, but it is good that the attack - if that is what caused the disruption - was handled so quickly," says information security expert Brian Honan, who's a cybersecurity expert to the EU's law enforcement intelligence agency, Europol.

A "World Banking Cartel Master Target List" published by Anonymous to text-sharing site Pastebin early this month lists the U.S. Federal Reserve, as well as Fed banks in Atlanta, Boston, Chicago, Dallas, Minneapolis, New York, Philadelphia, Richmond and St. Louis. Also on the target list are websites for the International Monetary Fund, the World Bank as well as 158 central banks' websites. In a related video missive issued March 31, Anonymous urged its members to "take your weapons and aim them at the New York Stock Exchange and Bank of England," promising that "this is the operation to end all others."

The planned Anonymous operation follows elements of the collective earlier this year declaring "total war" against Trump, and on April 1 temporarily disrupting several of Trump's websites, The Hill reports (see DDoS: 4 Attack Trends to Watch in 2016). Since then, of course, Trump has become the only Republican presidential candidate left standing after his massive win in this week's Indiana primary.

Banks: Beware DDoS Threats

While the Anonymous bark doesn't always equal its bite, in the wake of this alert, "banks in the United Kingdom, United States and Latin America should be very prepared" against potential attacks, says Carl Herberger, vice president of security for DDoS-mitigation and security firm Radware.

"In the same vein as someone yelling 'bomb' at an airport or fire at a movie theater, cyber-attack threats - whether idle or not - are not to be taken lightly," he says, although he adds that the number of threatened DDoS attacks outweighs the quantity of actual attacks.

Herberger says in light of the new threat, all banks should review their DDoS defense plans, keeping in mind that DDoS attackers do continue to refine their tactics, as seen in the disruption of Geneva-based encrypted email service ProtonMail (see Refined Ransomware Streamlines Extortion).

"As the attacks on ProtonMail in November 2015 have demonstrated ... attackers change the profile of their attacks frequently and leverage a persistent and advanced tactic of revolving attacks geared to dumbfound detection algorithms," he says, dubbing such tactics "advanced persistent DoS."

Maintain a DDoS Defense Plan

Security experts have long recommended that all organizations have a DDoS defense plan in place. The U.K.'s national fraud and cybercrime reporting center, ActionFraud, for example, recently issued the following advice to all organizations:

  • Review: "Put appropriate threat reduction/mitigation measures in place," tailored to the risk DDoS disruptions would pose to the organization.
  • Hire: If DDoS attacks are a threat, seek professional help. "If you consider that protection is necessary, speak to a DDoS prevention specialist."
  • Prepare: All organizations should liaise with their ISP in advance of any attack. "Whether you are at risk of a DDoS attack or not, you should have the hosting facilities in place to handle large, unexpected volumes of website hits."

DDoS Extortions Spike

The guidance from ActionFraud, released April 29, also warned that the center has recently seen a spike in DDoS extortion threats from an unnamed "online hacking group" demanding the equivalent of $2,250 to call off their planned attack.

"The group has sent emails demanding payment of 5 bitcoins to be paid by a certain time and date. The email states that this demand will increase by 5 bitcoins for each day that it goes unpaid," ActionFraud's alert states. "If their demand is not met, they have threatened to launch a [DDoS] attack against the businesses' websites and networks, taking them offline until payment is made."

ActionFraud advises targeted organizations: "Do not pay the demand." That echoes longstanding advice from law enforcement agencies globally (see Please Don't Pay Ransoms, FBI Urges). ActionFraud also urges organizations to keep all copies of DDoS extortion emails - including complete email headers - as well as a complete timeline for the threats and any attacks, and to immediately report threats or attacks to authorities.

Investigators say that keeping complete records - including packet-capture logs - is essential for helping to identify perpetrators. Or as ActionFraud advises: "Keep a timeline of events and save server logs, web logs, email logs, any packet capture, network graphs, reports, etc."

Masquerading as Armada Collective?

CloudFlare, a DDoS mitigation firm, reports that related attacks began in March and have been carried out under the banner of Armada Collective, as well as potentially Lizard Squad, although it's not clear if those groups are actually involved (see Analysis: Impact of DD4BC Arrests).

It's also unclear if the threatened DDoS disruptions have ever materialized (see Cyber Extortion: Fighting DDoS Attacks). "We've been unable to find a single incident where the current incarnation of the Armada Collective has actually launched a DDoS attack," CloudFlare CEO Matthew Prince says in a blog post. "In fact, because the extortion emails reuse bitcoin addresses, there's no way the Armada Collective can tell who has paid and who has not. In spite of that, the cybercrooks have collected hundreds of thousands of dollars in extortion payments."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.