Eugene Grygo, Chief Content Editor, FTF News
The shocking story that seven hackers in Iran with the help of their government could launch cyber-attacks against 46 U.S. financial services firms and two exchanges got about 30 seconds of attention in the U.S. media, overshadowed by the idiocy of the U.S. presidential campaign, and then justifiably by the heartbreak of recent terrorist attacks in Brussels, Belgium and Lahore, Pakistan.
Still, the fact that U.S. government officials announced that these sets of distributed denial of service (DDoS) attacks and related offenses took place is a rather stunning admission. It almost looks as if the attacks back and forth constitute a limited cyber-war between Iran and the U.S. government, which allegedly used the Stuxnet computer worm/cyber-weapon against Iran when it was said to be developing nuclear weapons.
The other shocker is how silent the victims have been.
There are many A-list banks on the list of firms and exchanges that were hit — Bank of America, the Nasdaq Stock Market, the New York Stock Exchange, Bank of Montreal, JPMorganChase, Citibank, HSBC, State Street Bank and Wells Fargo — and thus many customers.
Apparently, the attacks had major impacts upon many retail/commercial customers, according to U.S. Attorney for the Southern District of New York Preet Bharara. “The alleged onslaught of cyber-attacks on 46 of our largest financial institutions, many headquartered in New York City resulted in hundreds of thousands of customers being unable to access their accounts and tens of millions of dollars being spent by the companies trying to stay online through these attacks,” Bharara says in a statement.
It’s not clear if trading rooms and securities transactions were impacted by the cyber-attacks. But, despite customers realizing that some kind of attack was underway, the banks and exchanges so severely impacted did not and will not talk about it.
When I worked on the story, I reached out to some of those impacted and no one wants to comment. I also reached out to groups that advocate for the industry and they stonewalled me too.
I’m now quite amazed that the names of the firms impacted were mentioned in the indictment. But that and the naming of the hackers in this indictment may be steps forward.
Most companies, not just Wall Street firms, are very reluctant to acknowledge any attack as it may give credence to psychotic hackers and evidence for the competition to argue that they provide better protection for customers.
The solution appears to be that financial services firms will share cyberattack information with government officials but it must be done quietly and without any attention drawn to the victim.
I would hope, though, that without mentioning names maybe a set of best practices could be developed from these real-life attacks.
While it’s a good thing that the cyber anonymity of the attackers is being lifted, it might be wise for the victims to rethink their vow of silence and consider privately sharing their stories for mutual gain.
Need a Reprint?