(flickr.com/consumerist)

U.S. officials are still convinced that continuing denial of service (DDoS) attacks against American banks by the Izz ad-Din al-Qassam Cyber Fighters are cover for state-sponsored cyber sabotage by Iran, according to a report in today's New York Times.

The Times reports that the U.S. doesn't believe the hacking group's repeated claim they are targeting banks because the anti-Islam video Innocence of Muslims hasn't been taken off the Internet:

But American intelligence officials say the group is actually a cover for Iran. They claim Iran is waging the attacks in retaliation for Western economic sanctions and for a series of cyberattacks on its own systems. In the last three years, three sophisticated computer viruses — called Flame, Duqu and Stuxnet — have hit computers in Iran. The New York Times reported last year that the United States, together with Israel, was responsible for Stuxnet, the virus used to destroy centrifuges in an Iranian nuclear facility in 2010.

The U.S. has good reason to suspect state sponsorship. The al-Qassam cyber attacks have used compromised cloud computing services, which they infect with a malware package called "Itsoknoproblembro."

The malware turns infected servers into what researchers call "bRobots." Funny as the name might be, bRobots are serious business. A hacked data center filled with bRobots gives the attackers enough firepower to take down even the largest websites. As the Times reported, one bank with a substantial 40 gigabit Internet service was easily knocked offline, and others reported DDoS traffic peaks of up to 70 gigabits.

On Tuesday, the Izz ad-Din al-Qassam Cyber Fighters published a new post on Pastebin in which they said the attacks will continue. They offered a complex set of equations related to the current views and likes of Innocence of Muslims and wrote that the reasoning in allowing the video to remain on the web was "the result of direct role of Satan and evil shadow in Zionism spirit and approach of thinking."

As of Wednesday morning, the top four sites on "outage watch" at Site Down were Bank of America, Citibank, Capital One and Fifth Third Bank.

Wells Fargo's logo. (flickr/Neubie)

Earlier this week the Izz ad-Din al-Qassam Cyber Fighters announced new distributed denial of service (DDos) attacks on U.S. banks, part of what they've referred to as Phase 2 of their "Operation Ababil." It appears that they have been true to their word.

As of 1:30 p.m. on Friday afternoon, virtually all of the most recent site outage reports on SiteDown.co, one of the largest website outage notification services, were for either Wells Fargo or Bank of America. Comments from Wells Fargo customers ranged from the questioning--"What idiots do you hire to manage to your website?" to the timely: "Did the mayans shut down wells fargo as well no world no monies (sic)."

The al-Qassam Cyber Fighters have repeatedly denied they are working for Iran, even though many security experts say the size of their attacks indicates state sponsorship. In various posts, usually published on Pastebin, the cyber attackers insist their efforts against American banks continue because Google will not remove the anti-Islam video Innocence of Muslims from the Internet in any country where they are not legally required to do so.

The actual impact on banks by the continued denial of service (four days of outages for Wells Fargo this week) is still unclear. A report by Bank Info Security about the first wave of attacks from the al-Qassam Cyber Fighters in October indicated that in addition to inconvenience and customer loss, there is a danger that DDoS outages could be distractions for real hack attacks, in which customer funds are covertly transferred away, possibly to support future cyber espionage.

Whatever is really going on with the Cyber Fighters, it is clear that some banks are still unprepared for their onslaught, and customers are angry. An anonymous user on SiteDown.com likely spoke for many, writing, "Unable to log on to Bill Pay; 4th day and counting; Wells: you need significant help here; do something quick!"

Wells Fargo, hit by al-Qassam Cyber Fighters DDoS attacks.

Denial of service elves Izz ad-Din al-Qassam Cyber Fighters issued a new statement Tuesday and apparently renewed DDoS attacks on American bank websites.

In a brief Pastebin post the hackers--who claim they are mainly motivated by outrage over the anti-Muslim video, Innocence of Muslims--acknowledged the horrific school shootings that took place in Newtown Connecticut on December 14th, but re-committed to their efforts against U.S. financial institutions:

Originally, we sympathize deeply with families of the schoolchildren victimized by the horrible happening of Sandy Hook Elementary school. It’s very clear that a system which its rulers and capitalists are the owners of weaponry big companies never care about occurrence of these events. The past week’s attacks, showed our ability in doing wideness attacks so efficiently and of course this is not all of the Izz ad-Din al-Qassam’s ability. The attacks will be persistent till eliminating injustice and stopping the insults to the prophet of mercy and removing the offensive film, and we are sure that we will reach to our goals.

Based on reports made to Sitedown.co of website outages, the al-Qassam Cyber Fighters have been true to their word. By 5:45 p.m. ET on Tuesday over 400 users had reported an outage at WellsFargo.com since 9:15 a.m. Other banks reporting outages Tuesday included Bank of America and Chase, but Wells Fargo seemed hardest hit.

The cyber-attackers also promised that this week's attacks "will be as wide as previous week" and that customers of the "5 major US banks" should prepare for more "sorrow" and "inaccessibility."

Bank of America, one of the victims of Operation Ababil (Screengrab)

The Izz ad-Din al-Qassam Cyber Fighters published a new message on their Pastebin profile late Monday, warning of a new round of cyber attacks against U.S. financial institutions, beginning this week.

In their lengthy post, titled "Phase 2 Operation Ababil," the Qassam Cyber Fighters announced that they plan to attack websites owned by J.P. Morgan Chase, Bank of America, U.S. Bancorp, PNC Financial Services and SunTrust Banks.

Previous cyber attacks for which the ideologically-motivated group claimed credit took some bank sites down for more than 24 hours and affected website functions for days afterwards. The Cyber Fighters say that in Phase 2, "the wideness and the number of attacks will increase explicitly; and offenders and subsequently their governmental supporters will not be able to imagine and forecast the widespread and greatness of these attacks."

U.S. officials have said they believe the attacks are state-sponsored by Iran, but the cyber attackers still insist they are not working for any government. Though they mention events since their previous attacks such as Israel's efforts against Hamas, the al-Qassam Cyber Fighters still say their main reason for renewed cyber attacks is the presence of Innocence of Muslims on the Internet. Google has refused to removed the anti-Islamic video from the Internet in nations where it is not against the law.

Fox Business notes one of the reasons security researchers and U.S. officials have said they believe the al-Qassam Cyber Fighters are more organized and well-funded than an ad-hoc group of cyber terrorists is because they use such a sophisticated botnet of compromised web servers. The Cyber Fighters' zombie army of bots sidesteps bandwidth limits and focuses more power against their targets than attacks from home computers.

Previous banks affected by al-Qassam's efforts included Wells Fargo, Bank of America and the New York Stock Exchange.

Update: It looks like the Cyber Fighters didn't waste any time. As of 1:45 p.m. ET Tuesday, many Bank of America customers were reporting problems accessing the bank's website.

Bank of America, one of the victims of Operation Ababil (Screengrab)

The Izz ad-Din al-Qassam Cyber Fighters, who claimed credit for multiple DDoS attacks on American financial institutions like Bank of American and Suntrust, Inc., still steadfastly deny they were working for the Iranian government. Wired directs us to this interview with the hackers conducted in early November by researchers Flashpoint Global Partners, a security research firm.

The hackers always claimed in various Pastebin posts that their "Operation Ababil" was not motivated by a need to hurt the United States so much as they wanted to express outrage over the anti-Muslim film, Innocence of Muslims.

In their interview with Flashpoint, the hackers repeated the same sentiment, stating that they targeted banks to do “something proportional to what has happened against us. In the system where… religion and sacred things are not honorable, and only material, money and finance have value, this seems a suitable and effective… act[ion] and can influence governors and decision makers.”

Asked to respond to U.S. claims they were affiliated with Iran's military, al-Qassam said they weren't dependent on any government, just protesting "the insulting movie."

"But there are some ones," al-Qassam told Flashpoint, "who want to portray this action as political. So they are deflecting the issue to the side of their political leanings."

The Cyber Fighters may be telling the truth, but as Wired's Noah Schachtman noted, "some security researchers believed the attacks to be so sophisticated, they could’ve only been pulled off with government help."

For the time being it appears the Cyber Fighters have gone to ground and put their Operation Ababil on pause, as they haven't posted any claims of action on their Pastebin page for just over a month. We may not know what they’re up to until the next time someone tries to check their balance or load their bank’s website and gets only error messages in return.

Muslim cleric Izz ad-Din al-Qassam (Wikimedia)

If customers of Regions Bank were having trouble reaching the institution's website Thursday, they could thank the Izz ad-Din al-Qassam Cyber Fighters, who returned earlier this week for the fourth week of Operation Ababil.

Operation Ababil is an ongoing effort by cyber-attackers who say they plan to keep knocking American banks offline until Innocence of Muslims has been taken off the web. While Google has blocked the video in countries where its bigoted content is illegal, the search giant has said it will not block the video in the U.S., citing laws that protect freedom of speech.

Some experts think Iran is behind the Qassam Cyber Fighters, but the group has denied this.

Their Pastebin from October 8th added new reasons for their outrage:

A number of cyber-attacks toward the American banks planned and executed during the past weeks. Those attacks were a response to an insulting film against the great prophet of Islam which was made and broadcast on the Internet according to Zionists will and Americans management. All Muslims and free-minded people around the world protested this absurd action but their complaints were not addressed. If these protests were done by your fans any film was immediately removed from internet. For instance, at the same time with the Queen of England family's complaint against an insulting photo published in the French magazines the photo was removed immediately. But you did not care about the demands of Muslims and called the fighter groups' activities terrorist attacks.

You are insulting the prophet of Islam, what do you expect from Muslims? Do they have the right to confront or retaliate? Do you have a respectable thing that can be insulted in retaliation?

The Cyber Fighters concluded that "respectable thing" was banks. So they listed their targets and a timeline for the attacks:

Tuesday 10/9/2012 : attack to Capital One Financial Corp site, capitalone.com
Wednesday 10/10/2012 : attack to SunTrust Banks, Inc, suntrust.com
Thursday 10/11/2012 : attack to Regions Financial Corp site, regions.com
Weekends: planning for the next week' attacks.

The Cyber Fighters were careful to note that they weren't hacking everything. They referred to "recent Trojan-based attacks" that targeted "electronic money transfers" and stated that their activities were "only against the insulting movie mentioned above."

Operation Ababil has been documented in both Arabic and English. English posts often appear to be translations from the Arabic, but the most recent Arabic post seemed to reveal a sentence the attackers chose to leave out of the English version:

Sorry of the customers of these banks because the attacks caused interruption of banking operations, and we invite them to join the rest of the world in these activities [...]

Capital One, attacked on Tuesday, was still having problems Thursday. Sun Trust Banks was also knocked offline Wednesday, as promised.

As has been this group's practice, these cyber attacks will occur for eight hours each day, beginning at 10 a.m. EDT.

Stuxnet, the first shot across the bow. (Krebs On Security)

Cyber attackers who went after Chase and Bank of America with Directed Denial of Service (DDoS) attacks on the banks' websites may have been working for Iran.

A report from the Washington Post cites several officials who have made this claim, including Senator Joseph Lieberman, the chair of the Homeland Security and Governmental Affairs Committee.

The Post reports that in an interview with C-SPAN, Sen. Lieberman disputed the idea the attackers were independent hacktivists outraged by a controversial anti-Muslim film:

"I don’t believe these were just hackers who were skilled enough to cause disruption of the Web sites," said Lieberman in an interview taped for C-SPAN's "Newsmakers" program. "I think this was done by Iran and the Quds Force, which has its own developing cyberattack capability." The Quds Force is a special unit of Iran's Revolutionary Guard Corps, a branch of the military.

Lieberman said he believed the efforts were in response to "the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions."

The Post also reported that there have been similar attacks against American telecoms such as AT&T and Level 3.

What wasn't clear from Sen. Lieberman's remarks or the Post's report was whether the "Cyber fighters of Izz ad-din Al qassam," who claimed credit for the attacks and dubbed them "Operation Ababil" were opportunistic trolls or misdirection by Iranian cyber forces.

If officials and cyber-security experts quoted by the Post are correct, it is likely Iran intended the bank attacks as a response to U.S. actions such as the infiltration of the Stuxnet worm, which disrupted Iranian nuclear operations in 2010. Stuxnet targeted uranium enrichment centrifuges and caused them to spin wildly out of control.

The most recent Pastebin post from the Cyber fighters of Izz ad-din Al qassam claimed the attack on Chase's web properties was step two. They seemed to imply there were several more steps to go.

Izz ad-Din al-Qassam (Wikimedia)

The Cyber fighters of Izz ad-din Al qassam, a group of cyber-attackers who have targeted Bank of America and the New York Stock Exchange, allegedly struck J.P. Morgan Chase today. Fox Business reported on the site outage at Chase.com and consulted with Flashpoint Partners about the problems. Flashpoint told Fox that Chase's problems were probably due to a "sustained denial of service attack."

The religiously-motivated hackers, who claim they are responding to the anti-Muslim video, Innocence of Muslims, have published a new Pastebin page claiming credit for the Chase attack:

In the name of Allah the companionate the merciful

My soul is devoted to you Dear Prophet of Allah

"Operation Ababil" started over BoA :

http://pastebin.com/mCHia4W5
http://pastebin.com/wMma9zyG

In the second step we attacked the largest bank of the united states, the "chase" bank. These series of attacks will continue untill the Erasing of that nasty movie from the Internet.

The site "www.chase.com" is down and also Online banking at "chaseonline.chase.com" is being decided to be Offline !

Down with modern infidels.

### Cyber fighters of Izz ad-din Al qassam ###

"Operation Ababil" was also the name of a failed Pakistani military operation that occurred in April, 1984.

Pakistan planned the maneuver (sometimes spelled "Operation Ababeel") as an effort to capture a glacier in the long-disputed region of Kashmir. India learned of the plan and managed to seize the area two days before Pakistan pulled the trigger on the mission.

Are the Cyber fighters of Izz ad-din Al qassam hinting that they might be based in Pakistan? Not necessarily--the name of the operation could be a red herring.

The group's moniker may mean more than whatever they call their efforts against financial institutions; Izz ad-din Al qassam, according to Wikipedia, was the name of a Syrian-born "Muslim preacher who was a leader in the fight against British, French, and Zionist organizations in the Levant in the 1920s and 1930s."

Innocence of Muslims has been blocked in Pakistan and several other heavily Muslim countries but Google has refused to completely remove the film from the web.