“We were down for about two hours,” said Steve Ewers, chief information officer and a vice president at the $1.5 billion Austin, Texas, institution.
In January, UFCU was also hit by a DDoS attack that knocked it offline for around two and one-half hours.
Patelco, the $3.8 billion Northern California credit union, on Wednesday acknowledged it too was knocked offline by DDoS and, like UFCU, it also suffered a January outage.
In all instances, the perpetrator is believed to be the so-called al-Qassam Cyber Fighters, generally thought to be associated with Iran, although that link has not been substantiated.
In the most recent UFCU attack – which occurred a day before UFCU was scheduled to present details of its January DDoS attack at the NAFCU Technology Conference in Austin, said Ewers – the attackers used “a more sophisticated, more powerful attack than we saw in January,” according to Ewers.
In this attack, the attackers “tried to pull down a PDF from our site,” generating multiple accesses and huge volumes of traffic. When UFCU detected that and changed the file name, “the attackers reacted very quickly and went after the new file name,” said Ewers.
He also said much of the attack volume was generated via zombie servers and data centers that created dramatically more volume than do the typical botnets of hijacked personal computers.
Ewers stressed that in neither case was member data compromised and that there was no fraud committed in association with the DDoS.
Ewers added that, as might be expected, attendee interest in hearing about UFCU and DDoS at the NAFCU event was extraordinarily high. “The crowd was very engaged, very involved,” said Ewers.
Ewers indicated that, looking ahead, UFCU has good confidence about its ability to handle future DDoS attacks. He elaborated that UFCU, after the most recent outage, had concluded an agreement with a third-party DDoS mitigation provider.
“We in fact were in negotiation with them when we suffered the second attack.” He declined to identify who UFCU had retained.
As with Patelco, “our mobile banking never went down. Members who attempted to access us that way got in,” said Ewers.
Ewers added that, with a new mitigation provider in place, UFCU believes it is taking all the right steps in terms of fighting back against DDoS.
He stressed, “We can’t say we will be 100% effective because we don’t know what attack is coming next. But we are taking the steps to ensure member access to our services.”
