Son of STUXNET? Iran Believed Behind US Bank Attacks

The Flame virus

It seems there is considerable suspicion that Iran is behind the long string of disruptions to the networks of US banks and financial institutions.    Or at least James A. Lewis at CSIS is willing to say so publicly.   Speculation has been rather rife behind closed doors that these disruptions had an Iranian fingerprint.

“There is no doubt within the U.S. government that Iran is behind these attacks,” said James A. Lewis, a former official in the State and Commerce Departments and a computer security expert at the Center for Strategic and International Studies in Washington.

I am not asserting that these attacks either did or did not contain portions of that highly sophisticated STUXNET code that information security analysts fear will be turning up in an altered form for a long time.   The US, and certainly the private banking institutions will not say so.    What I mean is that this may be a counter-stroke by Iran partially in retaliation for STUXNET, and partly to disrupt the US economy as revenge for the sanctions Iran has been placed under.   And there is this:

American officials have not offered any technical evidence to back up their claims, but computer security experts say the recent attacks showed a level of sophistication far beyond that of amateur hackers.

The technical and HUMINT sources that may confirm such claims are not for public disclosure.  And while partially true, that above statement is misleading.  It connotes that only state-sponsored “hackers” are the real professionals.  This is hardly the case.  The reality can be said to be quite the opposite.   Those who are the true “hackers” have often been in the business and selling their services for considerable sums for more than a decade.  Non-state entities such as Hamas and Hezbollah, Al Qaeda, and others that are well-funded and with an axe to grind can buy the services of extremely sophisticated “Black Hats” who are little constrained by laws or diplomatic niceties.   “Anonymous”, a loose confederation of activists, is the most dramatic example, but there have been environmental activists and other organizations that have or may look to obtain such capability.

Another rather unsound assertion later in the article:

In an amateur botnet, the command and control center can be easily identified, but Mr. Herberger said it had been nearly impossible to do so in this case, suggesting to him that “the campaign may be state-sponsored versus amateur malware.”

Don’t you believe it.   Botnets constructed by so-called “amateurs” are just as sophisticated and just as impossible to decipher.   In addition, those whose intent is exploitation rather than disruption are all but invisible.   Detection of penetrations by skilled intruders are often months or even years after the fact, with the damage long done and the information system often laid bare to more exploits.    Money siphoning, identity theft, industrial espionage, military and diplomatic espionage, manipulation of SCADA systems for the purpose of causing physical damage and loss of life, all these can happen without detection until after the event(s).  Attribution, the ability to say with certainty where the attack or exploit originated,  remains virtually impossible through purely technical means when a skilled entity is responsible, and any confirmation through other sources remains out of public view.

Whether this set of attacks originated in Iran or not, we should be prepared to see much more of the same.   Whether it rises above the noise of the hundreds of thousands of known exploits that surreptitiously extract billions in cash, proprietary information, state secrets, personal credit data, and other sensitive treasure remains to be seen.   There is also one very disturbing cautionary note:

These clouds are run by Amazon and Google, but also by many smaller players who commonly rent them to other companies. It appears the hackers remotely hijacked some of these clouds and used the computing power to take down American banking sites.

“There’s a sense now that attackers are crafting their own private clouds,” either by creating networks of individual machines or by stealing resources wholesale from poorly maintained corporate clouds, said John Kindervag, an analyst at Forrester Research.

Now, if you’ll excuse me, I just got an e-mail from an Austrian Prince who needs my bank information to wire me a down-payment for helping to find his long-lost cousin.

2 thoughts on “Son of STUXNET? Iran Believed Behind US Bank Attacks”

  1. Heh! That’s nothing. I just got a note from a guy in Nigeria who’s asking for help to get 150 million out of Mozambique and is going to give me a 30% cut. Austrian Princes are tightwads.

    For the readers who don’t know what SCADA means , it is Supervisory Control and Data Acquisition. Such systems are on a lot of potable water systems (the system that feeds the tap in your kitchen sink and shower). If you could hack into those SCADA systems you could create a massive amount of havoc.

    1. QM, yeah, thanks for the clarification on SCADA. Jargon and acronyms are the two poison pills of oratory.

Comments are closed.