For nearly nine months, hacker groups thought to be based in Iran have been launching large-scale cyberattacks designed to knock U.S. bank Websites offline. But those assaults have subsided over the past few weeks as Iranian hacker groups have begun turning their attention toward domestic targets, launching sophisticated phishing attacks against fellow citizens leading up to today’s presidential election there.
Since September 2012, nearly 50 U.S. financial institutions have been targeted in over 200 distributed denial of service (DDoS) attacks, according to the U.S. Department of Homeland Security. A Middle Eastern hacking collective known as the Izz ad-Din al-Qassam Cyber Fighters has claimed credit for the assaults, and U.S. intelligence officials have repeatedly blamed the attacks on hacker groups backed by the Iranian government.
But roughly three weeks ago, experts began noticing that the attacks had mysteriously stopped.
“We haven’t seen anything for about three weeks now,” said Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC), an industry coalition that disseminates data about cyber threats to member financial institutions. “It’s not clear why [the attacks stopped], but there are a lot of things going on in Iran right now, particularly the presidential elections.”
Meanwhile, data collected by Google suggests that the attackers are focusing their skills and firepower internally, perhaps to gather intelligence about groups and individuals supporting specific candidates running for Iran’s presidential seat. In a blog post published this week, Google said that it is tracking a “significant jump” in the overall volume of phishing activity in and around Iran.
“For almost three weeks, we have detected and disrupted multiple email-based phishing campaigns aimed at compromising the accounts owned by tens of thousands of Iranian users,” wrote Eric Grosse, vice president of security engineering for Google. “The timing and targeting of the campaigns suggest that the attacks are politically motivated in connection with the Iranian presidential election on Friday.”
Grosse said the attacks appear to be the work of the same group that used SSL certificates fraudulently obtained from the now-defunct Dutch certificate authority Diginotar in sophisticated Iranian phishing campaigns that spoofed Gmail and other online services in August 2011.
Jeff Bardin, chief intelligence officer at Treadstone 71, a cyber intelligence and training firm, said he expects the phishing attacks to subside following today’s election in Iran.
“They are ahead of the game this time around as opposed to 2009 when they could not control Web 2.0 and cell phone activities,” Bardin said of the Iranian government. “Since then, they have acquired or nationalized telecoms, established filters, cutoff switches for the Internet and infiltrated Facebook, Twitter, YouTube. Iran has established a high degree of surveillance and control.”
For now, it’s unclear whether the same volume of DDoS attacks against U.S. financial institutions will continue after the Iranian election is over. According to Bardin, the attacks have been increasingly ineffective as more U.S. financial institutions moved to commercial providers of DDoS protection, including companies like Akamai, Arbor Networks, Prolexic (which protects this blog) and Radware.
“We’ll see what happens after the elections, but we’re not holding our breath,” FS-ISAC’s Nelson said. “Maybe this is the end, but they’re probably just gearing up for another round.”