Major U.S. bank websites have been offline a total of 249 hours in the past six weeks, perhaps the clearest indication yet that American companies are prime targets in an unrelenting, global cyber conflict.
The heavier-than-usual outages are the result of a remarkable, sustained attack that began seven months ago and repeatedly knocks banks offline for hours at a time, frustrating consumers and bank security professionals alike.
"Literally, these banks are just in war rooms, sitting at controls trying to stop (the attacks)," said Avivah Litan, a bank security analyst with Gartner Group, a consulting firm. "The frightening thing is (the attackers) are not using as much resources as they have on call. The attacks could be bigger."
The denial of service reports were hardly noteworthy at first, hidden in the wake of news that U.S. embassies were under siege during the week of September 11, 2012. But in short order, Bank of America, Wells Fargo, PNC and a number of other banks suffered hours-long website outages.
A group calling itself Izz ad-Din al-Qassam Cyber Fighters released an anonymous statement saying it was attacking banks in sympathy with real-world protestors who were reacting to an anti-Islam film that had been posted online.
Seven months later, the group is still taunting the U.S. financial system, with notice almost daily from another bank that had to apologize for letting down its customers. American Express and Wells Fargo issued statements last week saying they suffered outages. Even with advance notice, the biggest financial institutions in the world can't seem to stop them.
No one interviewed for this story believes that a perceived insult over a Web movie is the attackers' motivation, as the al Qassam messaging has stated. Though some considered that it might be the work of attention-seeking teen-aged hackers, they would likely have grown bored, or run out of resources, long ago.
In the fall, national security officials speaking on background told several media outlets, including NBC News, that they suspected the Iranian government was behind the attacks. It seems certain that an organized group, with both a political motive and the ability to fund the operation, is to blame.
Keynote Systems, which provided the compilation of bank outages exclusively to NBC News, measures website availability by checking sites every five minutes and logging the results. (To see a chart of these attacks, click here.)
It works with major banks to set up "dummy" accounts so its computers can log in and make sure online banking services are available, and constantly checks the largest 15 U.S. banks.
Websites go offline for a variety of reasons — late-night software upgrades, for example — and some outages are to be expected, said Aaron Rudger, a Keynote spokesman.
Still, 249 hours during a six-week period (ending March 31) is significant, indicating those bank websites were unavailable for about 2 percent of the time during that stretch.
For comparison, during the same six weeks a year ago, the same bank websites were down 140 hours. Keynote has no way of knowing why a site is unavailable, but Rudger was comfortable inferring that the so-called al-Qassam attacks were responsible for most of the increase.
Rodney Joffe issued chilling advice to banks preparing for an al Qassam-style attack last fall: Prepare a sincere-sounding apology, he said at the time. Given the volume of apologies since then, he turned out to be right.
"It goes on and on and on ... It's like they are kicking sand in someone's face, reminding people that they are there," said Joffe, who is senior technologist at Internet infrastructure company Neustar, which helps companies fight denial of service attacks.
"You just have to ask yourself, 'Why?' (The attackers) just seem to enjoy being able to say 'On an ongoing basis, we can make life uncomfortable for your banking industry.'"