How Iranian Hackers Used The Cloud To Attack Major Banks And Why It Matters

U.S. officials believe a series of cyberattacks striking major banks including Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T; and HSBC were the work of the Iranian government, potentially escalating the already tense cybersecurity standoff between the two nations. The type of attack used, a distributed denial of service attacks (DDoS) is relatively harmless — it disrupts access to services rather than stealing money or personal info — but the tactics used by the hackers raise concerns about the security challenges caused by our reliance on the so-called “cloud” storage and security of the data centers it relies on, the New York Times reports:

“Researchers at Radware who investigated the attacks for several banks found that the traffic was coming from data centers around the world. They discovered that various cloud services and public Web hosting services had been infected with a particularly sophisticated form of malware, called Itsoknoproblembro, that was designed to evade detection by antivirus programs. The malware has existed for years, but the banking attacks were the first time it used data centers to attack external victims

By infecting data centers instead of computers, the hackers obtained the computing power to mount enormous denial of service attacks. One of the banks had 40 gigabits of Internet capacity, Mr. Herberger said, a huge amount when you consider that a midsize business may only have one gigabit. But some banks were hit with a sustained flood of traffic that peaked at 70 gigabits.”

The way your typical DDoS attack has worked in the recent year is pretty straightforward: A hacker leverages a botnet, a collection of computers connected over the internet whose control has been ceded to a third party by security breaches, to take down a site by overwhelming it with too many requests to handle at once. The botnets can be a few hundred computers, or a few million, but are almost exclusively used for nefarious means. In this case the hackers applied that same botnet structure to a network of compromised data centers, dramatically increasing the force.


And as we increase our use of cloud storage and data centers the potential force available from this source is on the rise: Global data center IP traffic is expected to nearly quadruple over the next five years to 6.6 zettabytes annually. For reference, a zettabyte is equal to one billion terabytes.

Ultimately, this should be a wake up call to the security professionals whose data centers were used to perpetrate these cyberattacks: While we often think of security in the cloud as about safeguarding corporate secrets or your personal digital life, if you’re not properly securing your networks it’s not just the safety of your network at risk, it’s the safety of everyone your network could be used against.