Once contaminated by malicious software that turned over control to an unknown actor, the servers became a botnet – an army of zombie machines that did what they were told. On Sept. 18, the botnet was told to send data packets to strike Bank of America's servers, finally swamping them. The false flag, says Mr. Holden, was the effort by a tiny hacktivist campaign to provide cover for the huge botnet strike.
Bank of America was that day's target. JPMorgan Chase and Citigroup were hit later that week, causing their websites to slow or become inaccessible. Then, on Tuesday, Sept. 24, also between 9 and 10 a.m., attacks began again – this time directed at Wells Fargo. The next day, U.S. Bancorp and PNC's website were knocked down for a time, according to media reports.
The attacks seemed more sophisticated than what is typical for a DDoS incident, some experts say.
"It's not just a volumetric attack," says Scott Hammack, chief executive officer of Prolexic, a computer security firm with close ties to the financial industry. "The perpetrators really did their homework. This isn't a kid in his bedroom in Brooklyn doing these attacks. They've done months of reconaissance."