2013 DDoS Attacks on US Banking Sector Used Sweden’s Military Servers
Swedish newspaper Daily News discovered that a large number of Web servers belonging to Sweden’s Armed Forces were hijacked and forced to participate in DDoS attacks against US banking institutions.
The attacks took place in the spring of 2013 and targeted organizations such as Citigroup, Capital One, PNC, Bank of America, and HSBC. In the overall big picture, they were part of a wave of DDoS attacks targeting US financial groups, suspected of being carried out by Iranian hackers after the US was trying to impose new sanctions on the country.
The attacks actually started in the fall of 2011, and after a five-year investigation, US authorities eventually indicted seven Iranian hackers last month.
Swedish army addressed the issue back in 2013
According to Daily News, Swedish authorities were alerted by the attacks at the time when they happened. In May 2013, the Swedish Civil Contingencies Agency (MSB) sent the Swedish military’s IT staff an email claiming that some of their servers were used in DDoS attacks.
The email contained details about the IP of each machine, and the type of vulnerability the attackers were exploiting to launch their attacks.
In statements made to DN three years later, an Armed Forces spokesperson said they fixed the issue at the time of the attacks. They also said that that particular vulnerability couldn’t have been exploited to break into the Army’s databases, and only helped to relay the attacker’s traffic.
The problem with improperly configured servers
The Army spokesperson said that human error was at the center of this issue and that proper server configuration would have prevented the whole incident.
While army servers were patched in 2013, authorities also say that around 14,000 servers still exist in Sweden with the same vulnerability, which they declined to name or explain further. Most of these servers are located in government agencies, universities, and municipalities.
In October last year, Akamai researchers revealed that Sentinel licensing servers from the University of Stockholm, Sweden were used in reflection DDoS with an amplification factor of 42.94 that peaked at 11.7 Gbps.
This vulnerability in Sentinel servers was first discovered in Sweden, but it is not at the core of that attack, which mainly used flaws in DNS servers to amplify and propagate traffic.