U.S. based banks recently affected by the wave of denial-of-service campaigns against financial institutions disclosed some attack details to the Securities and Exchange Commission.
Several institutions, including Citigroup, JPMorgan Chase, Bank of America, Goldman Sachs Group, Capital One, U.S. Bancorp, and HSBC North America, referenced the DDoS attacks in their most recent annual 10-K earnings reports filed with the SEC. The attacks, intended to disrupt consumer online banking services, succeeded as customers were unable to access their accounts for a period of time, the banks wrote.
These institutions had come under DDoS-fire since last fall and winter, with the attacks allegedly launched by a group calling itself Izz ad-Din al-Qassam Cyber Fighters. The group started the latest series of attacks in late February and early March.
“The firm and several other U.S. financial institutions continue to experience significant distributed denial-of-service attacks from technically sophisticated and well-resourced third parties which are intended to disrupt consumer online banking services,” JPMorgan Chase wrote in its 10-K filing, submitted to the SEC on Feb. 28.
Both Chase and U.S. Bank referred to the attacks as “technically sophisticated and well-resourced.” U.S. Bank said the attacks required substantial resources to defend, and Citigroup said it has “increases in expenditures to monitor against the threat of similar future cyber-incidents.”
Security researchers have identified the “itsoknoproblembro” DDoS kit used to launch the attacks as well as the fact that attackers had compromised a series of Web servers to create the botnet which sent enough network traffic to overwhelm banking sites.
The banks worried the effects these attacks may be having on the organizations’ reputations. U.S. Bank said the attacks “may affect customer satisfaction and behavior.” They were also concerned about future attacks and how it would affect customer perception.
“Should a cyber-attack against us succeed on any material scale, market perception of the effectiveness of our security measures could be harmed,” Capital One wrote in its filing Feb. 27.
Citigroup, U.S. Bank, and Chase reported other attempts to breach networks or steal data. While Chase did not offer any details, Citigroup described ongoing cyber-incidents, such as attempts to gain unauthorized access, access data, account takeovers, and malware attacks. U.S. Bank said attack attempts were increasing and the “company continues to develop and enhance its controls and processes to protect against these attempts.”
“Because the methods and techniques employed by perpetrators of fraud and others to attack, disable, degrade or sabotage platforms, systems and applications change frequently and often are not fully recognized or understood until after they have been launched, we and our third-party service providers and partners may be unable to anticipate certain attack methods in order to implement effective preventative measures,” Capital One wrote.
While the institutions—with the exception of Citigroup—said the attacks did not cause any loss of data or breach the networks and impact other servers. Even so, “there can be no assurance that we will not suffer such losses in the future,” Bank of America wrote Feb. 27
“If these attacks are successful, or if customers are unable to access their accounts online for other reasons, it could adversely impact our ability to service customer accounts or loans, complete financial transactions for our customers or otherwise operate any of our businesses or services online,” Capital One wrote.
Citigroup acknowledged the attacks led to some losses, but did not elaborate further.
“While Citi’s monitoring and protection services were able to detect and respond to these incidents before they became significant, they still resulted in certain limited losses in some instances,” Citigroup wrote in its 10-K report filed March 1.
In 2011, the SEC issued guidelines indicating that publicly traded companies have to disclose cyber-incidents that could lead to financial losses or pose a material risk to their organization in their regulatory filings. While these were guidelines and not mandatory requirements, many organizations over the past year have started disclosing various breaches and attacks in their SEC filings. These recent 10-K filings outlined the risks the financial institutions face in terms of disrupted services, reputation damage, and potential data loss.
“Additional challenges are posed by external extremist parties, including foreign state actors, in some circumstances as a means to promote political ends,” Citigroup wrote.
Related Reading: I’m a Fortune 500 Company and I’ve Been Hacked