January 16th, 2013
By SIOBHAN GORMAN and DANNY YADRON
Major U.S. banks are pressing for government action to block or squelch what Washington officials say is an intensifying Iranian campaign of cyberattacks against American financial institutions.
Financial firms have spent millions of dollars responding to the attacks, according to bank officials, who add that they can’t be expected to fend off attacks from a foreign government.
Defense officials have said Iran’s government is behind the assault. Officials from several affected banks, including PNC Financial Services Group Inc., SunTrust Banks Inc. and BB&T Corp. , are urging the U.S. government to stop or mitigate the attacks, according to investigators.
The outcry is particularly significant from an industry that usually seeks to keep the government at arm’s length. Financial-services groups opposed a legislative effort last year to establish cybersecurity standards for key private-sector businesses, saying it could undermine protections already in place.
“The financial sector has historically been so sophisticated and organized in its security approach,” said Kiersten Todt Coon, a former staff member on the Senate Homeland Security and Governmental Affairs Committee and now president of Liberty Group Ventures LLC, a risk-management firm. “When they choose to go to the government, that shows how strong the severity of this threat is.”
The Iranian government “categorically denies” any involvement in the attacks, said Alireza Miryousefi, spokesman for Iran’s mission to the United Nations. “The malicious, false allegations against Iran are aimed at demonizing Iran and provide the excuse for further actions,” he added. Tehran has complained to the U.N. about foreign cyberattacks against Iran.
U.S. officials have been weighing options, including whether to retaliate against Iran, officials say. The topic was discussed at a high-level White House meeting a few weeks ago, a U.S. official said, adding, “All options are on the table.”
U.S. officials believe they have some time to assess options, because the assaults haven’t escalated to the destruction or manipulation of bank data, the official said. But the affected banks, seeing an unending assault that is soaking up profits and undermining consumer confidence, say the problem is urgent. “We’d like them to act,” one bank official said.
The incidents are believed to have begun early last year as unusually potent “denial-of-service” strikes on Bank of America Corp. , investigators say. Such attacks aim to knock an organization offline by bombarding its website with electronic requests. Because of the complex execution of these high-end denial-of-service attacks, it was difficult to immediately defend against it, a telecom-industry specialist said.
The hacking network surfaced again over the summer, attacking oil and gas companies in the Persian Gulf.
In September, the group turned back to U.S. banks. The next month, Defense Secretary Leon Panetta warned the perpetrators to cease, but the U.S. government hasn’t acted to put a stop to the attacks.
Initially, the assaults on individual banks were announced by hackers in advance. But lately, they have targeted multiple banks simultaneously without specific warning. The attacks have affected most of the top dozen U.S. banks, investigators and bank officials say.
The group’s most recent Internet announcement boasted its resiliency. “Despite the high cost of U.S. banks to deal with these attacks, the attacks cannot go under control and are unstoppable,” the group wrote on Jan. 8.
The hackers are using a network of tens of thousands of infected computers running corporate websites, investigators say. The attacks are considered more difficult to stop because they are coming from computers that could have legitimate reasons to communicate with the banks, said one bank official. Roughly half of those computers are overseas and out of the reach of U.S. law enforcement.
Bank representatives have discussed the attacks with officials from a range of U.S. agencies, including the White House, National Security Agency, Federal Bureau of Investigation, Department of Homeland Security, and Treasury Department.
Treasury officials held a series of meetings with individual bank representatives in December to ensure that all parties were working from the same set of information about the attacks, an investigator said. The FBI has been providing updates and warnings to banks of impending attacks as it continues an investigation. In some cases, U.S. officials have visited banks to assess their data, the investigator said.
A number of affected banks would like the government to either block the attacks or take down the network of computers mounting them, bank officials said. Other options for government action include complaining through diplomatic channels and counterattacks, said industry officials familiar with the investigation.
The U.S. government also could work with Internet providers to block traffic coming from computers in Iran tied to the network, a former U.S. official said.
Overall the financial services industry is still split over whether Washington should take on a more forceful role.
Last month, financial services executives, regulators and officials from the departments of Treasury and Homeland Security officials gathered at a meeting in the Washington suburbs to discuss the latest round of attacks. Some argued that U.S. government should go after the hackers, while others cautioned that offensive action could lead to retaliation, additional attacks against the banks, or unforeseen consequences, said one security executive who attended the meeting.
Most of the banks declined to comment. PNC, which has acknowledged the attacks, referred to its statement to customers that the bank “has taken steps to block this [attack] traffic and maintain online and mobile banking access for the vast majority of its customers.” A SunTrust spokesman said the company wouldn’t comment “on security-related matters.”
An Obama administration official said the U.S. government has been “a very active partner” in working with the private sector. The Treasury Department, National Security Agency and Federal Bureau of Investigation either declined to comment or referred questions elsewhere.