Iran Strikes Back

Iranians used University of Michigan network in recent bank attacks

Secretary of Defense Leon Panetta / AP
• October 15, 2012 5:00 am


UPDATE, Oct. 19, 2012: The University of Michigan on Oct. 18 denied its computers were involved in the Iranian cyber attacks and said it believes the security firm’s reporting erroneously monitored activity done by a professor engaged in security research.

"These assertions are simply not true," said Paul Howell, the university’s chief information technology security officer.

According to the university, the security firm’s report about the College of Engineering malicious cyber activity was actually research conducted by J. Alex Halderman, a professor of electrical engineering and computer security, who has been conducting a six month study on Internet security.

The statement said the university believes the reported hacking attempts were "actually benign connection attempts generated from one computer, not a network, in the College of Engineering."

"The program is designed to contact randomly selected servers and count the number of successful connections," the statement said.

The security analyst said he stands by his firm’s reporting on the malicious activity emanating from the University of Michigan network.

Iranian hackers took over a University of Michigan computer network during a massive cyber attack on U.S. financial systems last week that continued following comments on the strike by Defense Secretary Leon Panetta.

According to reports by a leading Internet security-monitoring firm, the cyber attacks against Bank of America, JPMorgan Chase, Citibank, and several other U.S. financial institutions began Oct. 8 when hackers gained control of the university’s College of Engineering network in Ann Arbor.

The attack then used automated malicious software to simulate hundreds of thousands of attempts by customers to log in to the banks’ remote access portals, resulting in overloading the networks.

Some of the bank's operations were slowed or otherwise disrupted, and others were halted during the attacks, which a well-placed security analyst said are continuing.

The company and the analyst declined to be identified over concerns that they would become a future target of cyber attackers.

The attacks began with cyber strikes against 75 ports on the Internet and were described as "severe," continuously repeating strikes. The attacks eventually increased to digital probes on 167 ports. There are a total of 65,535 Internet ports.

At the height of the attacks, the report stated that the Iranian hackers targeted more than 68,500 sites that had produced automated monitoring responses that counted more than 641,000 malicious digital attacks.

The attackers used a method that involved the use of botnets, or zombies, software, and operating methods that covertly take over private or institutional computers remotely by implanting malicious software inside.

According to the report, one of the sources of the attacks originated from the University of Michigan College of Engineering network domain.

"There has been an outbreak of DNS probe [attacks] from what appears to be most, if not all the servers within the University of Michigan (UM) College Of Engineering network domain," the report said, noting that 26 servers were involved.

The computer specialist said federal authorities were notified of the attacks and contacted the university, which eventually "unplugged" the entire attacking network.

However, the attackers had control over the network for about 24 hours.

The computer specialist said the attacks began falling off Thursday and were expected to end that day, coinciding with traditional Friday prayers in Iran. However, the attacks continued, and are continuing, in apparent reaction to the fact that Panetta confirmed the attacks late last week and threatened to take retaliatory action against major cyber strikes.

The company's security report from Sunday stated that "the cyber attacks are still extremely severe and at a very high level."

In a speech in New York City on Thursday, Panetta revealed for the first time that U.S. financial institutions were hit with distributed denial of service attacks.

"These attacks delayed or disrupted services on customer websites," he said. "While this kind of tactic isn't new, the scale and speed with which it happened was unprecedented."

He did not single out Iran as the origin of the bank attacks, but in his speech to a business group said that Iran, along with China and Russia, operate sophisticated cyber attack capabilities.

Panetta also said the Saudi Aaramco state oil refinery in Saudi Arabia was attacked two months ago and that computer attackers hit the RasGas energy company in Qatar in recent days.

"These attacks mark a significant escalation of the cyber threat and they have renewed concerns about still more destructive scenarios that could unfold," Panetta said.

He warned that foreign cyber attackers are probing America's critical infrastructure networks and targeting computer control systems that run chemical, electricity, and water plants, as well as networks used for nationwide transportation.

"We know of specific instances where intruders have successfully gained access to these control systems."

The defense secretary suggested that the U.S. military is prepared to retaliate for such attacks if U.S. security is severely threatened.

"If a crippling cyber attack were launched against our nation, the American people must be protected," Panetta said. "And if the commander in chief orders a response, the Defense Department must be ready to obey that order and to act."

A U.S. official with access to intelligence reports said there are indications that the bank attacks were an operation conducted by the Iranian government. The official said the Iranians used the Lebanese terrorist group Hezbollah as a "cut out" or surrogate for the cyber strikes.

Also, the hackers put out a false story that the cyber strikes were a response to the anti-Muslim video that had been posted on the Internet.

In reality, the Iranian bank attacks are a response to U.S. and western covert actions against Iran’s nuclear program.

In recent months, it has been disclosed that the U.S. and Israel launched cyber attacks against Iranian nuclear facilities. These attacks include the Stuxnet virus, which assaults industrial control systems inside Iranian nuclear facilities.

Iranian nuclear scientists also have been targeted in what appears to be a covert campaign of assassinations designed to disrupt the nuclear program.

Security analysts and recent news reports stated that the Iranian attackers were suspected of being a group called the Izz ad-Din al-Qassam Cyber Fighters, who last month posted a notice that they planned to carry out the attacks.

A spokesperson for the University of Michigan could not be reached for comment.

The Iranian strike used a method called botnet or zombie attacks, which involves orchestrating the use of a large number of compromised computers to send spam emails, transfer viruses, or overwhelm a network or server with massive data requests.

Compromised computers become infected with malware that communicates with hackers and is used to launch cyber attacks.

The goal is to prevent the networks from operating and thus denying service, technically known as a distributed denial of service attack.

Computer hackers are known to sell lists of computers that have been compromised.

An FBI spokeswoman declined to comment.