Once contaminated by malicious software that turned over control to an unknown actor, the servers became a botnet – an army of zombie machines that did what they were told. On Sept. 18, the botnet was told to send data packets to strike Bank of America's servers, finally swamping them. The false flag, says Mr. Holden, was the effort by a tiny hacktivist campaign to provide cover for the huge botnet strike.
Bank of America was that day's target. JPMorgan Chase and Citigroup were hit later that week, causing their websites to slow or become inaccessible. Then, on Tuesday, Sept. 24, also between 9 and 10 a.m., attacks began again – this time directed at Wells Fargo. The next day, U.S. Bancorp and PNC's website were knocked down for a time, according to media reports.
The attacks seemed more sophisticated than what is typical for a DDoS incident, some experts say.
"It's not just a volumetric attack," says Scott Hammack, chief executive officer of Prolexic, a computer security firm with close ties to the financial industry. "The perpetrators really did their homework. This isn't a kid in his bedroom in Brooklyn doing these attacks. They've done months of reconaissance."
Michael Smith, a senior security expert at Akamai Technologies, a Boston-based Web-acceleration company that on any given day processes as much as one-third of all World Wide Web traffic through its 130,000 global servers, isn't buying the idea that the cyberattacks on the banks were the work of hacktivists, either.