In the spring of 2012, some of the largest banks in the United States were coming under attack, with hackers commandeering servers around the world to direct a barrage of Internet traffic toward the banks’ Web sites.
The assaults, believed to have been launched by Iran, were bringing the sites down for hours at a time and disrupting customer business — the first significant digital assault of its kind undertaken against American industry’s computers by a foreign adversary.
It “was a wake-up call,” recalled an official from a large Internet service provider for the banks. “It got our attention in a very serious way.”
Wary of provoking even more intense attacks, the Obama administration rejected an option to hack into the adversary’s network in Iran and squelch the problem at its source. Instead, officials did something they had never tried on such a scale, appealing to more than 100 countries to choke off the debilitating computer traffic at nodes around the world, according to current and former U.S. officials.
Although the attacks did not end, they subsided, providing what officials have described as a template to respond in other such cases.
The response to the episode, which has not been previously detailed, reflected the difficult choices the Obama administration faces in the event of a cyberattack — assaults that constitute a new-generation threat to the nation’s financial and industrial computer networks. In many cases, officials are still feeling their way in the dark, determined to protect U.S. computer networks but wary of an overly aggressive response that could invite escalatory attacks that might further paralyze the networks of American businesses.
“As good as our capabilities are, there is always the possibility for unintended consequences when you take [cyber] actions,” said a senior administration official who, like some others quoted for this story, spoke on the condition of anonymity to describe the policy debate.
The attacks on the banks were launched shortly after the expansion of U.S. sanctions against Iran, and whoever was behind them was impressively skilled. The hackers were waging what are known as “distributed denial of service” attacks, seizing large-capacity Web servers around the world and turning them into shifting armies of “botnets” — computers that, unbeknownst to their owners, were being used to direct traffic at the banks’ Web sites.
By September 2012, financial institutions including Wells Fargo, Bank of America and JPMorgan Chase were grappling with waves of electronic traffic that had crept up from 20 gigabits per second to 40, 80 and ultimately 120 gigabits per second. It was at least three times the volume of traffic that most large banks’ Web sites were initially equipped to handle.
Banks were spending tens of millions of dollars to mitigate the problem.
In Washington, technical experts from different agencies gathered to discuss possible responses. The option to hack into the adversary’s network in Iran was dismissed as too provocative. But defense officials believed they had another option that would be effective and, as a former senior official put it, “gentle and precise.”
The servers that had been compromised by the hackers were constantly listening for commands, such as those that would tell them to aim traffic at certain banks’ servers. A team at Fort Meade in Maryland, the headquarters of both the National Security Agency and the military’s Cyber Command, could take covert or clandestine action that would permanently shut down the process responsible for the cyberattack.
“It would not affect anything else, not shut down the entire server, not enter property,” said the former official. “It was, simply, take the signal and die.”
T he option, put forward by then-NSA Director Keith Alexander, who also headed Cyber Command, would have deterrent value and be “non-intrusive,” said former officials. But other administration officials were unsure that the action could be so precise and expressed concern that affecting a server in Iran — even if in self-defense — would represent a violation of its sovereignty.
A similar maneuver had been used in 2008 in a Pentagon operation, Buckshot Yankee, to battle an intrusion by foreign hackers into the classified military networks. In that case, though, the action was taken inside the military networks, which the Pentagon has the clear authority to defend.
The administration’s predicament in the case of the banks’ sites reflected “the newness of the cyber domain and the uncertainty of how others will react to U.S. action,” said a former defense official.
Officials also considered delivering a diplomatic demarche to Tehran through back-channels but rejected that option out of fear that that, too, could prompt the adversary to ramp up the attacks.
In the fall, with the assault continuing, the White House decided on a different kind of response. In a move that was part diplomatic, part technical, officials appealed for help to 120 countries, asking them to sever the traffic locally and to remove the malicious computer code from the servers around the world being used as springboards for the attacks.
“The pitch,” said Chris Painter, the State Department’s coordinator for cyber issues, “was, ‘We’re making a request of you, and we would really like your help. You have just as much of an interest in taking action because these are compromised machines. Please do what you can to mitigate this threat.’ ”
As the State Department raised the issue with its counterparts around the world, cyber technicians with the Department of Homeland Security contacted their counterparts. Officials in those countries took various actions, depending on their laws and technical capabilities, recalled Larry Zelvin, director of Homeland Security’s National Cybersecurity and Communications Integration Center.
Armed with Internet protocol addresses, date and time stamps of malicious activity, and computer port numbers, for instance, the countries’ computer emergency response teams, or CERTs, could “sinkhole” the malicious traffic in what were effectively cyber black holes. They could also patch their systems to close vulnerabilities so the hackers could not control the computers.
That “CERT-to-CERT, geek-to-geek relationship” was helpful, Zelvin said, because it is the techies who can take the data to de-fang the botnets. He added that the approach is being used to address other cyberthreats globally.
Officials said the approach worked to a degree: The barrage of traffic eased. At the same time, the approach did not eliminate the traffic entirely and did nothing, some say, to ensure that the attacker would not try again.
“What was the sanction?” said a second former defense official who favored a more aggressive response. “The effort didn’t hinder the adversary’s objectives in the least.”
Painter conceded that the multinational mobilization was not “a complete silver bullet.” But, he said, it “certainly was very helpful in building that cooperative framework, and many countries were able to help.” It was, he said, “a confidence-building measure.”
By the beginning of 2013, the administration had concluded that the denial-of-service attacks were “not even close” to hitting the threshold that would trigger a U.S. cyber response in foreign networks, one military official said. “Iran,” the official said, “is not dumb. When you cross that threshold, you’re going to have to expect something to come at you very hard.”
In the end, it was the adversary who eventually decided in the spring of 2013 to curtail the assaults, part of what analysts say was a general curbing of provocative behavior in a period in which Iran was involved in nuclear talks with the West and gearing up for a presidential election.
“It was the progress in the nuclear talks . . . and promises of changes in sanctions that changed Iran’s behavior,” said James A. Lewis, a senior fellow at the Center for Strategic and International Studies.
It was never clear whether Iran wanted to send a message or do actual harm, intelligence officials say. But they knew that Iran had the potential to do harm.
“It was clear that if they had chosen at various moments to aim all their capabilities down a narrow pipe, they would have succeeded in bringing the networks down,” the second former official said.