Capital One Financial Corp., BB&T Corp. and HSBC Bank USAsaid they were hit by a new round of cyber attacks, marking thefifth week of sustained assault on some of the largest U.S.financial institutions.

The banks' websites have been disrupted with so-called denial ofservice attacks, some of which originated in Iran and Russia, CarlHerberger, a vice president for the network security firm RadwareInc., said in a phone interview yesterday.

“There is a target list that is essentially being worked,” saidHerberger, whose New Jersey firm is working with banks toinvestigate the attacks. “They appear to have been near-100 percenteffective, at least in bringing these financial institutions somelevel of duress.”

The assaults, which began last month, have differed from othertypes of denial-of-service attacks by commandeering commercialservers to overload bank websites with Internet traffic. Theattacks have temporarily disrupted or slowed online services forcustomers.

There are no signs data or money have been stolen, saidHerberger and Rodney Joffe, senior vice president at Sterling,Virginia-based security firm Neustar Inc. It could take months todetermine if that occurred, they said.

A group calling itself Izz ad-Din al-Quassam Cyber Fighters hasclaimed responsibility for the attacks in statements posted to thewebsite pastebin.com, saying they're in response to a videouploaded to Google Inc.'s YouTube ridiculing the Prophet Muhammadand offending some Muslims.

The attacks continued this week despite a warning from DefenseSecretary Leon Panetta that the U.S. has the ability to determinewho is responsible.

“Potential aggressors should be aware that the United States hasthe capacity to locate them and hold them accountable for actionsthat harm America or its interests,” Panetta said in an Oct. 11speech to business executives in New York.

He said the “scale and speed” of the bank attacks wasunprecedented.

Denial-of-service attacks, which are common, harness networks ofinfected computers to bombard websites with traffic in an effort toslow or crash them.

The use of commercial servers enabled the bank attackers to pumpa larger volume of traffic at the sites, Joffe said in a phoneinterview yesterday.

Bank Response

The attack on HSBC, the U.S. unit of London-based HSBC HoldingsPlc, prevented customers from using online banking services whilenot affecting customer data, Neal McGarity, a bank spokesman in NewYork, said in an e-mail yesterday.

BB&T customers yesterday couldn't access the website atvarious times during the day, Merrie Tolbert, a spokeswoman for theWinston-Salem, North Carolina-based bank, said in a phoneinterview.

The attack on McLean, Virginia-based Capital One began Oct. 16and intermittent disruptions continued yesterday, Tatiana Stead, aspokeswoman, said in an e-mail. There was no sign of accountinformation being put at risk, she added.

Ally Financial Inc. was also investigating “unusual traffic,”Gina Proia, spokeswoman for the Detroit, Michigan- based company,said in a phone interview yesterday.

Senator Joe Lieberman, a Connecticut independent who heads theSenate Homeland Security and Governmental Affairs Committee, saidlast month he thought Iran was behind the attacks.

Panetta said in his speech that Iran has “undertaken a concertedeffort to use cyberspace to its advantage,” although he didn't linkthe Iranian government to the bank attacks.

Herberger and Joffe said the Iranian government may be behindthe attacks. Definitive evidence is needed, they said.

“There's no technical problem in forensically figuring out whodid what,” Herberger said. “The problem is can you go to China, canyou go to Russia, can you go to Iran and actually do the inspectionof the equipment to actually know what's going on?”

The attackers are adapting to banks' defenses and becoming moresophisticated in their tactics, Herberger and Joffe said.

“Companies have to be very aware of what's going on and theyhave to start thinking about a Plan B and Plan C,” Joffe said.

Along with using commercial servers, attackers are overloadingbank websites with queries, such as requests to find branchlocations, and sending encrypted data packets that bypasstraditional defenses and intrusion-detection systems, Herbergersaid.

“We see ahead of the attacks reconnaissance, probing andscanning to evaluate the websites' effectiveness to see if theyhave certain attributes in place,” he said. “It's classicprobing.”

Security experts have been concerned about the attacks becauseU.S. financial institutions are considered to have some of the bestnetwork defenses of any industry. Sustained attacks could disruptcustomer confidence in industries beyond banking, they said.

“I feel like it's more than an inconvenience and that peoplehave actually lost the fundamental respect for the banks'integrity,” Herberger said.

Bloomberg News

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.