But experts say it appears that at least two attacks were occurring at once – one by a group of individuals, and the other by an entity controlling a relatively small number of powerful, high-speed Internet Web servers. Any attacks by activists during that time were only a veil masking a powerful, orchestrated attack conducted either by cybercriminals or possibly by Iran in retaliation for harsh economic sanctions, these experts say.
"On this particular attack, an Islamic group has claimed responsibility by saying they are doing the attacks for ideological motives," Dan Holden, director of research for the Security Engineering & Response Team at Arbor Networks, says in an e-mail interview. "If true, this would be classic hacktivism. However, Arbor thinks this could be a 'false flag' operation to divert attention away from the real attackers."
A leading indicator is the source of the digital firepower. The attack now appears to have emanated almost entirely from just 300 to 400 very powerful machines – Web servers – rather than from thousands of irate hacktivists allowing their own personal computers to be used to attack websites, Arbor and others say. These Internet workhorses, which usually employ their powerful processors to display many Web pages to the public simultaneously, were infiltrated and compromised – then used to attack the six banks.