Skip to main content

How a DDoS campaign became an act of cyberwar

How a DDoS campaign became an act of cyberwar


Just add Iran

Share this story

In September 2012, US banking websites started picking up floods of fake traffic. It was a denial-of-service campaign, waged more or less weekly. It went on for month after month, always hitting in the middle of the week, during normal business hours.

Under other circumstances, it could have been taken as a hacktivism campaign, akin to similar actions from Lulzsec or other Anonymous branches. The attacks were all simple floods of traffic, nothing sophisticated or technically demanding. While they certainly made life difficult for a number of network managers, the end result was never more serious than a service interruption in customer-facing online banking sites.

"A reminder of the seriousness of cyber threats to our national security."

But as it turned out, this flood of traffic was coming from Iran, which pushed this DDoS campaign onto the world stage. In a press conference today in New York, US attorneys unsealed an indictment against seven Iranians for "Cyber Attacks against the US Financial Sector." According to the indictment, the attacks were carried out on behalf of the Iranian government and its Islamic Revolutionary Guard Corps, a prime example of the politics of cyberwar. One of those attackers had claimed credit for a previously reported infiltration of a small dam in upstate New York, making these the first public charges for digital attacks on critical US infrastructure.

"This case is a reminder of the seriousness of cyber threats to our national security," Attorney General Loretta Lynch said in a statement. "We will not allow any individual, group, or nation to sabotage American financial institutions."

But while the politics have been heated, the capabilities of the actual attackers seem to have been roughly what you’d expect from your average 4chan crew. The DDoS attacks were persistent, but they seem to have been fairly predictable. The total traffic topped out at 140 Gbps, a large but not unprecedented attack. (For context, Arbor Networks reported more than 50 attacks over 100 Gbps in the first half of 2015.) The Anonymous resemblance went right down to the group’s taste in web design, which opted for the same blocked out ASCII writing favored by low-level hackers and pirate sites.

The dam hack is similar, closer to vandalism than a Stuxnet-style infiltration. The indictment and subsequent law enforcement statements have focused on the threat posed by the attacks on infrastructure like power plants and dams, but the specific dam targeted by the attack was a small flood control outlet, unable to do much more than flood a streambed. In fact, the hackers in question couldn’t even do that, since the gate controls were out of service at the time of the attack. In the indictment, prosecutors phrase that as being the only reason the dam controls weren’t engaged — but it’s just as likely that the intrusion was a side effect, and the Iranians weren’t at all interested in controlling upstate New York’s water levels.

There does seem to be a legitimate connection to Iran’s government. All seven attackers were employed in private companies during the period, but the indictment claims one of them received credit for his mandatory military service as a result of the attacks. Still, it’s unclear how closely supervised the actions were, or what the end goal of any of it was.

That’s not to say that the attacks weren’t damaging or even criminal — but it puts the idea of international cyberwar in a very different light. International borders make cases like this difficult, so high-profile prosecutions are often more a necessity than a choice. It’s also true that, while DDoS attacks are crude, they can be used as cover for far more sophisticated action. But for the time being, there’s no evidence this team had anything like that in store. If the same attacks had been launched from Coney Island rather than Tehran, it’s likely we wouldn’t be talking about them at all.