In an era of cyberwarfare, financial institutions can find themselves in the crossfire. The U.S. government indicted seven Iranian hackers last week, charging the individuals for their roles in a 2011 series of cyber-attacks targeting at least 46 major banking institutions. The attacks, which Attorney General Loretta Lynch called “relentless,” “systematic” and “widespread,” were carried out for nearly a year and included targets such as JPMorgan Chase, Wells Fargo, Bank of America, NASDAQ, and the New York Stock Exchange.
Banks have long known of the danger posed by distributed denial-of-service (DDoS) attacks in which hackers crash a target’s network by flooding it with high levels of traffic. In this case, the Iranian programmers hit some financial institutions with DDoS attacks on a nearly weekly basis, paralyzing bank infrastructure and locking users out of online banking. Such attacks have been increasing in frequency and sophistication in recent years, with Arbor Networks’ recent Worldwide Infrastructure Security Report finding that 57 percent of financial institutions had experienced a DDoS attack, the highest rate of any sector.
Although the indictment falls short of characterizing the attacks as acts officially sanctioned by the Iranian government, intelligence experts have suggested that the campaign was orchestrated as retaliation for the United States’ alleged cyber-attack on Iran’s main nuclear enrichment plant. That attack, revealed in 2010, employed the so-called Stuxnet virus to disrupt Iranian centrifuges used in the enrichment of uranium. Not coincidentally, the recent U.S. indictment also charged the seven Iranians with launching a cyber-attack designed to take control of a small dam in New York.
Commentators remain skeptical that any of the Iranian hackers will ever be brought to trial, but one thing is certain: financial institutions must continue to improve their cybersecurity infrastructure, which may face threats not only from individuals, but potentially from foreign governments as well.
The full indictment can be downloaded here.