DDoS Attacks Slam Finnish Bank

Alleged Attackers Demand Bitcoins to Cease Disruptions
DDoS Attacks Slam Finnish Bank

Police in Finland are investigating a series of distributed denial-of-service attacks against the country's OP Pohjola financial services group that have intermittently shut down online banking and direct debit services.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

The attacks, which were first reported by Finland's YLE news service, began on New Year's Eve.

Law enforcement officials say the attacks have been launched via malware-infected "zombie" PCs - or bots - located both in Finland and abroad. "This attack came from many different directions. The perpetrators had commandeered [bots], so the incoming data traffic would not necessarily reveal anything about who was behind the attack," Detective Chief Inspector Timo Piiroinen, who's with Finland's National Bureau of Investigation, tells the country's YLE news outlet. Piiroinen declined to offer further details related to the attack, saying the matter remains an "ongoing investigation" that involves NBI, the bank, as well as the Finnish Communications Regulatory Authority, which is known as Ficora.

Security experts report that numerous services now offer on-demand DDoS attacks. Some services, such as "Darkbooter," advertise related services for as little as $3.99.

Pohjola, which is based in Helsinki, is the largest financial services group in Finland, boasting 4 million customers in a country that has a population of 5.4 million. The financial services firm, which operates 350 branches, said that while the initial attack was contained by late on Dec. 31, 2014, subsequent attacks have continued to cause intermittent disruptions. The financial services firm has posted contact phone numbers to serve customers who are continuing to face disruptions with accessing services, both from inside and outside the country. The firm says in a Jan. 7 FAQ that due to DDoS defenses that are now in place, the aggressive filtering of traffic that originates outside Finland is continuing to cause disruptions for customers who are attempting to access banking services from abroad.

CoreSec Claims Credit

A group that calls itself CoreSec has taken responsibility for the DDoS attacks. But the DDoS collective that calls itself Lizard Squad also highlighted the disruption against the banking website, although it's not clear if the group was involved in the attack.

CoreSec has been tied to previous DDoS extortion campaigns, including an August 2013 campaign against Finland's Katsomo pay-per-view television website in the midst of ice-hockey playoffs - which the group demanded 10 bitcoins to call off - as well as a 10 bitcoin ransom demand left on the Facebook page of Danske Bank by "Coresec/V£N0M," reports cybercrime expert Mikko Hypponen, who's the chief research officer at Helsinki-based anti-virus firm F-Secure. But he says it's not clear when that demand was made.

In its Dec. 31 post to Pohjola's Facebook page, meanwhile, CoreSec demanded 100 bitcoins to call off its attack. At that time, those bitcoins would have been worth about $35,000. "Lazers pointed towards #FreeRyan," the group also posted, referring to a static IP address assigned to Pohjola.

Attackers' Call to 'Free Ryan'

CoreSec's "FreeRyan" reference, meanwhile, refers to the belief that "Ryan," a 17-year-old Finn who allegedly participated in the Xbox Live and PlayStation Network disruptions on Christmas Day - for which the Lizard Squad collective has claimed credit - was arrested. But Finnish police say that while they have interviewed the teenager on suspicion of having committed "data crimes," he has not been charged or arrested, contrary to a report in the Washington Post. That interview followed Ryan telling Britain's Sky News via a Skype interview that just two or three people directed the DDoS attacks "mostly to raise awareness - to amuse ourselves."

Finnish legal experts say that if Ryan is charged for related crimes, he would face less severe penalties under the country's data crime laws, because he is younger than age 18.

Ryan has claimed to be a spokesman for Lizard Squad, rather than an active member of the collective. He claims the disruptions - coming in the wake of the high-profile hack of Sony Pictures Entertainment - were proof that Microsoft and Sony weren't devoting sufficient resources to protect their gaming networks, and, by extension, their customers. "They should have more than enough funding to be able to protect against these attacks," he said. "And if they can't protect against the attacks on their core business networks, then I don't think they're really doing that much on their overall level of security."

Lizard Squad, meanwhile, says the attacks were meant to advertise its new DDoS-as-a-service offering, dubbed "LizardStresser." It claims to accept payments via PayPal, as well as in Bitcoins.

Regardless, Lizard Squad called off its DDoS attack against the gaming networks after Kim Dotcom, who runs the cloud storage and file-hosting service Mega, offered the group 3,000 free, lifetime vouchers if they would permanently cease their Xbox and PlayStation Network attacks.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.