According to this article in the New York Times, the recent DDOS attacks launched against U.S. financial institutions were likely the work of the Government of Iran and in retaliation for U.S. sanctions against Iran and its financial institutions. These attacks, which started in September, have targeted, and caused temporary disruptions to, sites of “Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC.” Because of the nature of DDOS attacks, these disruptions caused inconveniences to the banks and their customers who were unable to access the websites, but did not result in the theft or compromise of financial data.
The chief evidence for this is indirect: the scope and sophistication of the attacks. Apparently, the attacks infected large data centers with malware and then used those data centers to barrage U.S. institutions web sites with requests in an effort to overwhelm them and take them down. The use of the data centers resulted in attacks that, in some instances, peaked at 70 gigabits.
Although no data was compromised in this instance, the use of data centers in these attack raises yet again the issue of cloud computing and export law given that the malware that turns the data centers into attack bots could, in theory, access customer information, including export-controlled technical data, which might be stored in those data centers. The article does not identify the data centers involved, or whether they were located in the United States or abroad, but if any of these were located in the United States, where U.S companies would be permitted, at least in theory, to store controlled technical data without export licenses, the possibility that a deemed export of that data to Iran has occurred is quite real.
Traditional thinking in the murky area of export law and cloud computing has been that storage of export-controlled technical data on clouds physically located in the United States raised no export control issues. But if these clouds are increasingly targeted by non-U.S. hackers, this assumption may no longer be valid.