Pierluigi Paganini January 30, 2018

Three Dutch Banks (ABN AMRO, ING Bank, Rabobank) and Tax Agency were targeted by a coordinated DDoS Attacks a few days the revelation of the Russian APT Hack.

Early this week a massive DDoS attack targeted three Dutch banks, ABN AMRO, ING Bank, Rabobank, and the Dutch Taxation Authority (Belastingdienst).

The DDoS attacks caused severe accessibility problems to the bank infrastructure, they prevented customers from accessing the web services.

The attack against the Dutch Tax Authority prevented taxpayers filing tax-related documents.

Who is behind the attack?

According to security experts from ESET, the origins of the attacks are servers in Russia.

“The DDoS attacks that hit ABN Amro, ING and Rabobank over the weekend and on Monday, came from servers in Russia, according to security company ESET. The company adds that this does not automatically mean that the perpetrators are also in Russia, the Telegraaf reports.” states NL Times.

“The perpetrators used a so-called botnet – an army of hijacked computers and smart devices – to commit the DDoS attacks. Using the program Zbot, they remotely ordered these devices to visit a certain site en masse, thereby overloading the site’s server and crashing the site. The command and control servers are mainly in Russia, ESET determined.”

It is difficult to attribute the attack to a specific threat actor. anyway, the cybersecurity expert Richey Gevers noted that the attacks came a few days after the story of the Cozy Bear hack operated by the Dutch Intelligence Agency AIVD. According to Gevers, the DDoS attack peaked 40 Gbps in volume of traffic.

Hey fellow DFIR people. Jan 25th the story broke the Dutch Intelligence Agency AIVD hacked Cozy Bear. At this moment critical Dutch infra is under (40Gbps) DDoS attack. Has anyone seen infected clients/network traffic performing a DDoS attack on Dutch infra? Please let me know.

— Rickey Gevers (@UID_) January 29, 2018

The expert also added that the attackers powered the attacks using a botnet composed of home routers.

The banks are not sharing much info. But they said some IPs look like routers. Thats all I know.

— Rickey Gevers (@UID_) January 29, 2018

The Ministry of Justice and Security called the attacks on the Dutch institutions very advanced, according to BNR. “But for example Dutch banks are known in Europe for having their cyber security in order. You often see that this provokes more advanced attacks. We are now fighting at a very high level”, the Ministry said. The Ministry can’t yet say who is behind these attacks.

Researchers from ESET claimed the attackers used the Zbot malware, a very old threat based on the infamous ZeuS banking trojan.

According to BNR, even is the malware is not complex, the Ministry of Justice and Security has classified the attacks on the Dutch institutions as very complex

“But for example Dutch banks are known in Europe for having their cyber security in order. You often see that this provokes more advanced attacks. We are now fighting at a very high level”, the Ministry said. The Ministry can’t yet say who is behind these attacks.

Pierluigi Paganini

(Security Affairs – DDoS attacks, Dutch banks)

[adrotate banner=”5″]

[adrotate banner=”13″]