Group halts bank cyberattacks

The campaign of cyberattacks that has pounded many of the country's biggest banks is being suspended.

The group claiming responsibility for the attacks, Izz ad-Din al-Qassam Cyber Fighters, posted a message on an Internet message board Tuesday saying it was suspending the attacks because the video ridiculing the prophet Mohammed had been removed from YouTube, which was the group's core demand.

"The Suspension of Operation Ababil has started today and will continue till further notice," the post reads.

U.S. Bancorp and Wells Fargo & Co. were among U.S. financial institutions hit in the highly public operation, which started in September and remains under investigation by the FBI.

While U.S. officials have publicly blamed Iran for the bank cyberattacks, calling it retaliation for economic sanctions, Iran has denied involvement.

Whoever was behind the attacks used distributed-denial-of-service (DDoS) attacks to bombard bank websites with traffic and to attack certain features such as search functions and logins. The hits gummed up bank websites and frustrated customers trying to access information.

It's not clear yet whether or how the operation may have affected core bank functions -- most banks are still investigating the problems. Last month the Office of the Comptroller of the Currency, which regulates banks, issued an alert warning that denial-of-service attacks, in general, can be used as a distraction while thieves hack into customer accounts.

Some financial service companies have taken the step of asking for help from the government in warding off future attacks, said Larry Ponemon, chairman and founder of the Ponemon Institute, an independent research group in Traverse City, Mich., focused on data security.

"That's a pretty unusual event," Ponemon said. "Normally, it's the other way around where the government says, 'We're here to help you,' and private industry says, 'We don't need the help.'"

"It seems to me that it's more than just an annoying DDoS attack -- that it's a signal there are other problems."

DDoS attacks have been around for a long time, but Operation Ababil stands out for its sophistication and focus, experts say. Its focus on disrupting certain features of the websites, not just producing high traffic, made it particularly effective, said Dan Holden, director of security research at Arbor Networks, a company in Burlington, Mass., that specializes in DDoS attacks.

Holden said he's agnostic on the origins.

"Given the longevity of the campaign it is certainly being funded at some level. Wherever that funding is coming from is certainly debatable," Holden said. "There's all kinds of black helicopter conspiracies that one can come up with."

Banks have been tight-lipped about the problem.

San Francisco-based Wells Fargo, which has a large operation in the Twin Cities, wouldn't comment on the campaign's suspension. Minneapolis-based U.S. Bank could not be reached for comment Tuesday.

Those banks were among the first targeted last fall. Since then, the attacks have been less dramatic but the scope has widened significantly.

The Ponemon Institute released a report earlier this month that said nearly two-thirds of the 650 bank information technology professionals surveyed said their banks were hit with at least one DDoS attack in the past 12 months.

Holden, at Arbor Networks, said he doubts this is the end of Operation Ababil.

"It's more of a pause, and a lull, than it is the campaign going away," he said. "I would not be surprised one bit if they come back."

James Lewis, a former official in the State and Commerce departments and a computer security expert at the Center for Strategic and International Studies, said he thinks sanctions triggered the cyberattacks. "Should the U.S. take new punitive actions in Iran, we'll see a resumption of this stuff."

Jennifer Bjorhus • 612-673-4683