On September 30th, a video message appeared on the site of one of the groups of the so-called anonymous hacktivists, in which they talked about planned network attacks at several major Russian banks. The threats to the national banking system were accompanied by political slogans that interpreted the prepared action as a virtual act of terrorism. The actual outcome of the attackers’ plan turned out to be not as promised though.
Some of the mentioned banks were our customers. Some of our colleagues believed that it was just a threat and there would be no real action since the attackers had more than ambitious goals, like bringing down the Russian banking system, providing unavailability of major banks’ online services.
In the morning of October 1st there was an attempt made to follow the threatened scenario – the website of Sberbank suffered a DDoS-attack at the applications level (HTTP Flood Attack). The volume of junk traffic was no danger for the uplink since the attack power was low. The traffic was switched over via the Kaspersky Lab’s security system, the attack was fully repulsed, and the site of the bank continued to work normally. Despite the availability of the site for users, the attack continued until the next morning. After realizing that their actions had no desired effect the attackers turned their attention to their next goals on the list: Alfa-Bank was attacked until October 3, and then Gazprombank had its turn. The plan of the criminals failed with those targets, too. The attacked sites of the banks continued to respond to users’ requests and did not show any noticeable uneasiness.
Following, another major Russian bank became a new target almost daily. Nevertheless, the vast majority of clients of those banks that were under the protection of Kaspersky DDoS Prevention never noticed any hacker activity, and were able to continue to use online services as usual.
It should be noted that a DDoS attack at a bank with e-banking services is nothing more than an inconvenience given the temporary unavailability of the bank’s web page. As a rule, the online banking system itself does not suffer from such attacks because in most cases, additional network resources are enabled to support e-banking. They are physically separated from those hosting the web page of the bank. Thus, the attack of a site does not cause any difficulties for those customers who want to carry out an operation and go directly to their account pages. But those people who use the main page to login to their personal accounts may get a false impression of a real threat to their funds due to their inability to access their accounts. They may become anxious or even panic, and obviously this behavior is what the attackers had accounted for. But nothing like that happened. Both e-banking services and websites of the banks under Kaspersky Lab’s protection kept operating as normal.
In general during an attack of the denial-of-service type, the user is in a less vulnerable position than the bank. The failure to keep operations going inevitably leads to damages, the size of which are determined by the time and cost of downtime.
It should also be noted that the announced attack was not accompanied by any attempts at hacking banks’ networks, identity thefts or interference in the financial services, since such functionality is not incorporated in the very nature of DDoS attacks. Their main purpose is to provide temporary unavailability of a particular web resource for its legitimate users. The attackers can likely be attributed to political hacktivists who were trying to demonstrate the vulnerability of the national security of the country by attacking major banks. But all that they achieved was receiving a few reports of cyber attacks in the press. They never made it closer to their stated goal.