HSBC restored access to several of the company’s most important websites rendered inaccessible for ten hours last Friday by what is starting to look like one of the largest and most successful DDoS attacks ever to hit a prominent UK company.
The attack appears to have begun before 6pm on Thursday, 18 October, blocking access to several hsbc.co.uk and US domains plus, embarrassingly, the First Direct online bank.
According to the company’s Twitter account – now the means by which companies communicate regarding major outages such as this – access was not restored until 3am BST.
"This denial of service attack did not affect any customer data, but did prevent customers using HSBC online services, including internet banking. We are taking appropriate action, working hard to restore service,” HSBC said in a statement.
"We are pleased to say that some sites are now back up and running. We are cooperating with the relevant authorities and will co-operate with other organisations that have been similarly affected by such criminal acts."
DDoS attacks are routine on any company or bank of HSBC’s size, so what made this one so crippling?
According to security company Arbor Networks, the most likely explanation is simply that the attackers threw everything at HSBC, particularly at the application level. That might be the new reality of DDoS attacks but tis peaks of the ability to muster sophisticated methods beyond the norm.
“Recent attacks have used what we call multi-vector attacks, attacks which utilise a combination of volumetric, and application layer attack vectors,” suggested Arbor’s Darren Anstee.
“What we are seeing here are TCP, UDP and ICMP packet floods combined HTTP, HTTPS and DNS application layer attacks. Attackers are doing this because they know it makes the attacks more difficult to deal with, but not impossible if we have the right services and solutions in place,” He said.
Suspicions regarding the source of the attacks will turn to obvious candidates such as Anonymous or possibly politically-motivated attackers from the Middle East; claims of responsibility have already reportedly been made on Twitter.
“In our experience financial organisations are slightly ahead of other businesses in the appreciation of the threats that DDoS attacks represent to their business, however many are lulled into a false sense of security by thinking that traditional means of defence like firewalls will combat the threat,” commented Paul Lawrence or Corero Networks.
Targeting banks is nothing new. Only days ago, self-declared Islamic hackers vented their fury on a clutch of US financial sector organisations, disrupting SunTrust Banks and Capital One Financial. This followed earlier attacks on PNC Bank, Wells Fargo, US Bank, Bank of America and JPMorgan Chase.
Western hackers have used Pastebin and Twitter to give a running narrative on their exploits; now groups such as the “Izz ad-Din al-Qassam Cyber Fighters” have taken to the attention-seeking tactic.