The German Financial Sector Under Attack

In January 2020, it came to DCSO’s attention that three German banks, DKB, Sparkasse, and Commerzbank, had suffered from three separate distributed denial-of-service (DDoS) attacks, each seemingly committed by the same actor. The threat actor had not issued publicly any financial motives or demands, but the incidents still set off a number of alarm bells within the German financial sector, as they demonstrated the sector’s lack of preparedness against any similar attacks that might occur in the near future.

Indeed, the German financial sector currently looks to be under-prepared for this possibility. Operating profitably as a major bank in Germany can be problematic, given that local private and corporate customers expect (and are often offered) banking services free of charge. The consistently low German interest rates also don’t help, both affecting organizations’ revenues and limiting their ability to finance their expansion – whether geographically, or in terms of service offerings. Many smaller savings banks and cooperative banks are much more competitive than major banks in various areas of Germany for that reason: they don’t suffer from high overhead costs like major banks do. Providing more online banking services became a logical next step for many of the banks to maintain competitiveness, but that in turn opened them up to new cybersecurity risks.

The risks posed by such DDoS campaigns to financial organizations is neither insignificant nor localized to Germany. Only a month following the January 2020 DDoS attacks targeting the German financial sector, several Australian banks would find themselves bracing for an extensive extortion campaign carried out by the “Silence Hacking Crew”, a Russian-speaking threat actor that has targeted banks since 2016, including several in Russia, several countries in Eastern and Central Europe, and more recently, Bangladesh, India, Sri Lanka, and Kyrgyzstan. The Silence Group has been emailing their victims with threats of carrying out DDoS attacks that would disrupt their services for days unless paid a ransom. While the Silence Group never did act on its attack threats in Australia, the group has been linked with over 16 campaigns targeting banks since 2018, making such instances of inaction an exception, rather than the rule.

Financial organizations are also often targeted by advanced threat actors for non-financial reasons, for instance as a result of a hostile country’s political or strategic interests. The 2011/2012 Iranian DDoS attacks on U.S. banks of are a good example of this. Those attacks targeted 46 American financial organizations over the course of 176 days, resulting in the loss of tens of millions of dollars in mitigation costs, while also leaving “hundreds of thousands of customers unable to access their bank accounts”. Regrettably, DDoS attacks have only become both cheaper and easier to launch since then. With three major German Banks DDoS attacked within in a single month, it is hard to dismiss the possibility of future serious incidents occurring within Germany.

Anatomy of the attack

The Attacks

On January 7, 2020, “Finanz Informatik-Technologie Service” (FI-TS), the IT hardware service provider of the DKB, was exposed to an attack that affected the availability of DKB’s website and some of their services. The external attack, which paralyzed the online banking services as well the DKB website for hours, appeared to be a DDoS attack that was executed via a bot network.

The attack lasted for hours and caused massive service disruption to DKB, Germany’s second largest bank. That same day, a Twitter user by the name of ‘@naifu911’ addressed a tweet to the DKB’s Twitter account, declaring their responsibility for their disruption to their online
banking services, which led to the bank blocking their account. Using a personal webpage on the blog comment hosting service Disqus, the Naifu actor further elaborated on how they executed the attack. In a follow-up post pictured below (Figure 1), the attacker would eventually go so far as to mock DKB’s inability to mitigate the denial-of-service state induced by their DDoS campaign.

Two days later on January 9th, DKB customers found themselves again unable to access their accounts – service would remain disrupted for a number of hours lasting from the afternoon until later that night. That same day, in a demonstration of their technical ability to cause similar denial-of-service instances, Naifu released a video showing the execution of a similar DDoS attack, this time targeting Sparkasse. The attack itself only lasted for a few minutes, causing minimal service disruption, and was therefore neither reported by Sparkasse nor covered by media sources. The timestamp attached to a comment that was later posted by Naifu (see Figure 2) reveals the approximate time at which the attack occurred and contained a link to the original video, which had been uploaded shortly after using the online video hosting service Streamable.

After reviewing the video, DCSO analysts determined that the IP address of the attacker (165[.]231[.]102[.]6), a Netherlands-based IP, was a Nord VPN exit node:

The third and final DDoS attack was launched eighteen days later on January 27 at 11:28 AM, this time targeting Commerzbank. The attack caused a service outage that lasted for almost an hour. Minutes later, Naifu, using a new Twitter account, claimed responsibility for the attack (Figure 5). Commerzbank’s online banking services resumed normal operations approximately an hour later.

After a lengthy period of inactivity, Naifu resurfaced on Twitter again on May 3rd, mocking DKB’s written response concerning another service outage they were facing at the time, implicitly taking responsibility for the attack, which lasted from 11:48AM until after 11PM the same day.

While this would be the last instance in which Naifu claimed responsibility for an attack on a financial organization, they would later claim responsibility of a similar attack on May 22, this time targeting the U.S. social media platform Reddit. Their attack disrupted Reddit’s services for approximately three hours. According to the online marketing platform Alexa, Reddit is the 20th most popular website on the public Internet. The significant capabilities required to disrupt a social media platform of its scale underscores the threat severity posed by Naifu’s DDoS campaigns.

The Attacker

The attacker suspected to be behind those attacks favors the pseudonym “Naifu”, which is Japanese for knife. Over the month of January, they registered themselves on Twitter under three different accounts, which each used the same profile picture and incorporated the word Naifu into the Twitter account name itself. Naifu changed between these accounts after they were blocked either by the social media teams affiliated with the victimized organizations, or by Twitter itself. Their public behavior exhibited through these accounts presents researchers with an intriguing case for further analysis. As noted before, Naifu frequently issued boastful declarations claiming responsibility for their attacks (see Figure 6). Furthermore their insistence of using new Twitter accounts despite making no financial demands or issuing new threats to their victims speaks to a more complex set of motivations underlying their malicious activity.

The attacker created a Keybase account using the same Naifu pseudonym (Figure 7) that linked to their current Twitter account. While the attacker claims on their profile to reside in Japan, uses a Japanese name, uses Japanese anime-style pictures for their avatar, and even uses Japanese-language quotes on their Keybase profile, there is no conclusive evidence that could confirm that they are Japanese or that they are currently residing there. The German used by the attacker in their comments on the blog comment hosting service Disqus is of a native-speaker level, and they tend to be active on the platform during late evening hours in the Central European Time zone.

The attacker’s criminal profile and behavior speak to motivations that contrast greatly with those of a traditional, financially-motivated threat actor. Whereas such a threat actor would use the DDoS attacks or any threats thereof to financially extort their targets, Naifu has not given any indication of having such motivations behind their disruptive activity. On the contrary, they explicitly cite their desire for amusement being a key motivator for their activity. A post made by Naifu on Twitter also notes that they are lonely and desire social interaction with others. Their prominent public claims of responsibility for attacks made on Twitter and other social platforms, as well as their frequent interaction with other Twitter users indicate that their malicious activity might instead be attributable to more diffused, attention-seeking or emotional motivations. This also could indicate that the attacker is a young person with technical skills, or who possesses access to a DDoS-as-a-service provider.

A deeper search of the name “Naifu” reveals another interesting case: In April 2019, there was a series of ransomware attacks executed on Smile Communications routers in Nigeria, in which an attacker compromised devices belonging to individual users and demanded a ransom in order to restore access to their devices. The attacker requested the ransom be sent to a Bitcoin wallet. A Twitter account previously used by Naifu, and almost identical to their current Twitter handle, was featured on the landing page inserted on compromised routers, linking them to the attack:

Recent Developments

A recent news report may shed some light on the mystery of who could likely be behind the recent DDoS attacks. On June 17, 2020 two suspects, aged 20 and 16, were arrested in Calw (Baden-Württemberg) and Soltau (Lower Saxony) respectively on suspicion of computer sabotage, and attempted extortion. The arrests were made by German law enforcement officials at the request of the Itzehoe public prosecutor. According to the original police press release, the suspects are being investigated for attacking and disrupting the digital services of several private organizations, including TNG Stadtnetz GmbH in Kiel and Deutsche Kreditbank AG, in Schleswig-Holstein, Lower Saxony, Berlin and other federal states, as part of a long-running campaign that began in July 2019.

The suspects are accused of carrying out at least 12 distinct DDoS attacks, which resulted in the disruption of key services among several of the victim organizations. The 16-year-old suspect is additionally accused of commercial extortion, in connection with an April 2019 ransomware campaign targeting consumer-grade routers affiliated with telecommunications providers in Nigeria. Victims of this earlier campaign were forced to pay a BTC ransom of approximately 100EUR to unlock their routers. The 16-year-old suspect was reportedly motivated by boredom and loneliness, and has a history of acknowledging their malicious activity across different social networks.

While German privacy laws prevent authorities from providing information concerning the identities of suspects connected to criminal offenses, the press release’s description of the suspects’ activities fit to those attributable to the Naifu actor, namely:

• The report confirms both DKB and Nigerian telecom providers were targeted by the same actor.
• The timings of the campaigns as outlined in the report line up with Naifu’s more recent activity.
• The 16-year-old suspect’s motivations referenced within the report (loneliness and boredom) match those referenced by the Naifu actor on their social media accounts.
• The 16-year-old suspect was confirmed to have used social media to publicize details about their attacks.

Analysis and Conclusion

DDoS attacks similar to those transpired against DKB and Commerzbank are extremely cost-effective for attackers and are technically easy to execute. In 2017, researchers at Kaspersky published an analysis of the costs associated with DDoS attacks at the time. Their findings demonstrate exactly how low the barrier for entry is for malicious actors interested in launching DDoS campaigns: The estimated cost to power a DDoS attack using a cloud-based botnet of 1,000 desktop systems is about $7 per hour. The average DDoS-as-a-service rate is approximately $25 an hour, leaving a substantial profit margin for those operating such a service, while also making customer costs somewhat accessible. However, such attacks can be tailored to the attacker’s needs, creating a range that goes from $5 for a 300-second attack and up to $400 for a 24-hour attack on a server that employs some form of anti-DDoS protection.

The financial costs of executing a DDoS attack is also governed by variables such as attack duration and type of botnet used: an IoT botnet, for example, may cost the attacker far less than a botnet composed of dedicated servers. Either way, the three attacks that were observed in January are unlikely to have cost the attackers a substantial amount. In comparison, for the targeted banks, the financial impact of a 24-hour attack could cost them anywhere from tens of thousands to hundreds of thousands of Euros.

The disparity between the cost to the attacker and the financial liability to the financial organization provides financially-motivated cyber attackers with a strong incentive to extort online banks or financial organizations, who could face costly service interruptions. While the Naifu actor did not appear to be financially-motivated to any significant degree in their most recent activity, their May 3rd attack caused almost 12 hours of service disruption, and proved that DKB is still vulnerable to their relatively straightforward attack methods.

For the targeted banks, Naifu’s lack of any clear financial motivation isn’t particularly reassuring, as the ease at which they executed their successful attacks raises serious questions regarding the state of their defenses against future DDoS incidents. What if Naifu inspires other more malicious actors to threaten and extort German banks? Given that they were still able to disrupt DKB’s online services in their more recent May 2020 DDoS attack, it is clear that German banks might still be vulnerable to such malicious activity.

To make matters worse, targets within the German financial sector’s reliance on slow-moving service providers such as Finanz Informatik has been identified as an exploitable weak point for attackers seeking to capitalize on the sector’s technical fragility. The implementation of any effective countermeasures against future DDoS campaigns would likely necessitate the involvement of these organizations within the financial supply chain, a factor that would likely extend the improvement process, and make it more costly. However this should still be considered the preferred option, given the alternative.

Generally, Germany’s economy remains a highly attractive target for financially-motivated threat actors aiming to extort organizations as part of their campaigns. The risks posed by DDoS campaigns are especially acute, since they are technically easy to execute, have low associated costs, and can be highly effective in disrupting services. The German financial sector is no exception to that rule, which is why the January attacks should start a serious conversation among the nation’s leading organizations regarding future cybersecurity planning and attack mitigation strategies, especially amidst the COVID-19 pandemic, which has led to a greater reliance on the provisioning of online services.