LLoyd's Banking Group (LBG) was reportedly hit with a cyber-attack several weeks ago, which intermittently prevented customers from accessing accounts. LBG has refused to ‘speculate' on the nature of the outages.
Customers were subject to intermittent outages to online banking which lasted two days between the morning of 11 January and the afternoon of the 13th. Affected customers were reportedly blocked from their online banking accounts which prevented them from making payments or viewing their account balances.
The Financial Times recently reported that the outages were the result of a Distributed Denial of Service, or DDoS, attack. A source with knowledge of the case told SC that attackers had targeted several banks with DDoS attacks, but it was primarily LBG that was affected. An investigation is currently underway as to why that is.
LBG was not technically ‘hacked' and no money or financial details are reported to have been stolen. A DDoS attack works, not by penetrating a network but by leveraging groups of enslaved devices to send junk traffic towards a targeted website, overloading it and preventing it from working properly.
An LBG spokesperson gave a statement to SC Media UK saying that the bank, “experienced intermittent service issues with internet banking between Wednesday morning and Friday afternoon the week before last and are sorry for any inconvenience caused.”
The statement added that only a small number of customers experienced problems and that most were able to log in after a second attempt. It concluded, “we will not speculate on the cause of these intermittent issues.”
Sources told SC that attackers reportedly demanded large sums in exchange for a cessation of the attack, although no payments have been made.
DDoS is often used as a ransom tool. When the victim becomes paralysed by the relentless onslaught of junk traffic, they may well pay up to regain day-to-day operations. Perhaps most famous for using this tactic was the gang DD4BC, who became infamous for targeting the online gambling industry before several of its members were arrested in a Europol raid in early 2016.
Others use DDoS as a smokescreen. When defenders see a massive overwhelming attack in one part of their network, they might understandably divert their resources and attentions in that direction and away from other, less conspicuous intrusions.
John Madelin, CEO at RelianceACS told SC that, “While the IT department is trying to get services back up and running the attackers can find weaknesses and holes in other parts of the network with a goal to access sensitive information. Another motive can be activism where by disabling access to the bank's online services, the bank is losing business and trust with its customers which hurts their bottom line.”
The group is believed to be international, but not much is known about the attackers. SC's source said that attacks are not being attributed to a nation state but a sophisticated cyber-criminal group.Describing the group as, “amateurish”, the source added that the attackers were probably an individual or small group “playing with Mirai and trying to make a quick buck.