It came out of nowhere and then it took down the website of $1.5 billion University Federal Credit Union “for around two and one-half hours,” said a spokesperson.
What appeared to be the same purportedly Iranian group that in recent months has taken down Bank of America, PNC, Capital One and assorted money center institutions bragged about the exploit online, at a website experts told Credit Union Times has commonly been used to post news of such takedowns.
- ALSO READ: Patelco a Target of DDoS Attack
- ALSO READ: Texas Credit Union Hit by DDoS Attackers
- ALSO READ: How One Corporate Credit Union Defends Itself
The experts acknowledged they knew none of the specifics of the UFCU take down but, they said, to all appearances this is the work of the cybercriminals who have been said to be linked to Iran.
What does this UFCU attack mean? “The attackers are definitely going after softer targets,” said Rich Bolstridge, a DDoS expert with network traffic company Akamai in Cambridge, Mass.
The bad news, said experts, is that, right now, no credit union can any longer count itself as immune from large-scale DDoS attacks.
Off the record, many credit unions, including billion-dollar institutions, had told us that indeed they had DDoS mitigation capabilities to handle run-of-the-mill attacks launched by ex-employees, terribly unhappy members, or would-be extortionists. These usually are fairly low force attacks and defense is fairly simple.
Defending against the high-velocity, nation-state level DDoS attacks is a different matter. The belief has been that only a handful of money center financial institutions had the resources on hand to defend themselves but nobody else really needed that level of protection, or so the thinking went.
Something has changed and what very well may have changed is that the big FIs have gotten good at deflecting nation state DDoS with minimal downtime. They have contracted with the mitigation companies, they have bought the mitigation appliances, they have arranged for redundant Internet broadband (often having arrangements with three providers). And so they were ready.
Smaller institutions are not ready.
That point is made vivid in a recent report, “A Study of Retail Banks and DDoS Attack,” sponsored by Corero Network Security. The full document is here.)
In an interview, Marty Meyer, CEO of Corero, a DDoS mitigation appliance maker in Hudson, Mass., said that in the survey of 351 banks, 48% said they had suffered multiple DDoS attacks in the prior 12 months and 78% said they expected DDoS attacks to continue or slightly increase in the coming year.
What Meyer said he found worrisome in the data is that “only 17% of the institutions said they were effective at responding to DDoS.”
Many pointed to utterly inadequate defenses such as firewalls as their DDoS response. Firewalls, noted Meyer, were never designed to mitigate DDoS and won’t do that job.
Meyer indicated that no credit unions were included in the survey, although “we do have credit union customers, around a dozen.”
For reasons of simplicity the survey – conducted by third-party researchers – focused only on banks, including “some of the largest in the world,” said Meyer, who declined to name names.
Have credit unions had fewer, or more, attacks than banks? Nobody knows. NCUA’s current regulations require incident reports only if an event results in a potential compromise of member data and, in classic DDoS, what happens is that the overwhelmed network collapses. But there is no data leakage.
And therefore there is no reporting to NCUA.
Up until last Thursday there was a widespread belief that probably credit unions had many fewer attacks – they generally don’t get the hate that banks do – but the UFCU attack has to put the industry on notice that credit unions don’t have DDoS immunity. Not anymore.
And they had better begin assembling defenses to guard against what could turn out to be a long spell of high volume DDoS attacks.
If University Federal Credit Union is not safe, who is?