WASHINGTON -- In the spring of 2012, some of America's largest banks were coming under attack, with hackers commandeering servers around the world to direct a barrage of Internet traffic toward the banks' websites.
The assaults, believed to have been launched by Iran, were bringing the sites down for hours at a time and disrupting customer business -- the first significant digital assault of its kind undertaken against American industry computers by a foreign adversary.
It "was a wake-up call," recalled an official from a large Internet service provider for the banks. "It got our attention in a very serious way."
Wary of provoking even more intense attacks, the Obama administration rejected an option to hack into the adversary's network in Iran and squelch the problem at its source. Instead, officials did something they had never tried on such a scale -- appealing to more than 100 countries to choke off the debilitating computer traffic at nodes around the world, according to current and former U.S. officials.
Although the attacks did not end, they subsided, providing what officials have described as a template to respond in other such cases.
The response to the episode, which has not been previously detailed, reflected the difficult choices the Obama administration faces in the event of a cyberattack -- assaults that constitute a new-generation threat to the nation's financial and industry computer networks. In many cases, officials are still feeling their way in the dark, determined to protect U.S. computer networks but wary of an overly aggressive response that could invite escalatory attacks that might further paralyze the networks of American business.
"As good as our capabilities are, there is always the possibility for unintended consequences when you take [cyberactions]," said a senior administration official who, like some others quoted for this story, spoke on condition of anonymity to discuss the issue candidly.
The attacks on the banks were launched shortly after the expansion of U.S. sanctions against Iran, and whoever was behind them was impressively skilled. The hackers were waging what are known as "distributed denial of service" attacks, seizing large-capacity Web servers around the world and turning them into shifting armies of "botnets" -- computers that, unbeknownst to their owners, were being used to direct traffic at the banks' websites.
By September 2012, financial institutions including Wells Fargo, Bank of America and JPMorgan Chase were grappling with waves of electronic traffic that had crept up from 20 gigabits per second to 40, 80 and ultimately 120 gigabits per second.
It was at least three times the volume of traffic that most large banks' websites were initially equipped to handle. Banks were spending tens of millions of dollars to mitigate the problem.
In Washington, technical experts from different agencies gathered to discuss possible responses. The option to hack into the adversary's network in Iran was dismissed as too provocative. But defense officials believed that they had another option that would be effective and, as a former senior official put it, "gentle and precise."
The servers that had been compromised by the hackers were constantly listening for commands, such as those that would tell them to aim traffic at certain banks' servers. A team at Fort Meade in Maryland, headquarters of both the National Security Agency and the military's Cyber Command, could take covert or clandestine action that would shut down the process responsible for the cyberattack permanently.
"It would not affect anything else, not shut down the entire server, not enter property," the former official said. "It was, simply, take the signal and die." That option, put forward by then-NSA director Keith Alexander, who also headed Cyber Command, would have deterrent value and be "nonintrusive," former officials said. But other administration officials were unsure that the action could be so precise and expressed concern that affecting a server in Iran, even if in self-defense, would represent a violation of its sovereignty.
A similar maneuver had been used in 2008 in a Pentagon operation, Buckshot Yankee, to battle an infection by foreign hackers into the classified military networks. In that case, though, the action was taken inside the military networks, which the Pentagon has the clear authority to defend.
The administration's predicament in the case of the banks' sites reflected "the newness of the cyberdomain and the uncertainty of how others will react to U.S. action," a former defense official said.
Officials also considered delivering a diplomatic demarche to Tehran through back channels, but rejected that option out of fears that it, too, could prompt the adversary to ramp up attacks.
In the fall, with the assault continuing, the White House decided on a different kind of response. In a move part diplomatic and part technical, officials appealed for help to 120 nations, asking them to sever the traffic locally and remove the malicious computer code from servers around the world being used as springboards for the attacks.
"The pitch," said Chris Painter, the State Department's coordinator for cyberissues, "was, 'We're making a request of you, and we would really like your help. You have just as much of an interest in taking action, because these are compromised machines. Please do what you can to mitigate this threat.' "
As the State Department raised the issue with its counterparts around the world, Department of Homeland Security cybertechnicians contacted their counterparts. Officials in those countries took various actions, depending on their laws and technical capabilities, recalled Larry Zelvin, director of Homeland Security's National Cybersecurity and Communications Integration Center.
Armed with Internet protocol addresses, date and time stamps of malicious activity and computer port numbers, for instance, those nations' computer emergency response teams, or CERTs, could "sinkhole" the malicious traffic in what were effectively cyber-black holes. They could also patch their systems to close vulnerabilities, so the hackers could not control the computer.
That "CERT-to-CERT, geek-to-geek relationship" was helpful, Mr. Zelvin said, because it is the techies who can take the data to de-fang the botnets. He added that the approach is being used to address other cyberthreats globally.
Officials said the approach worked to a degree: The barrage of traffic eased, at least partly. At the same time, the approach did not eliminate the traffic entirely and did nothing, some say, to ensure that the attacker would not try again.
"What was the sanction?" asked a second former defense official, who favored a more aggressive response. "The effort didn't hinder the adversary's objectives in the least."
Mr. Painter conceded that the multination mobilization was not "a complete silver bullet." But he said it "certainly was very helpful in building that cooperative framework, and many countries were able to help." It was, he said, "a confidence-building measure."
By the start of 2013, the administration had concluded that the denial-of-service attacks were "not even close" to hitting the threshold that would trigger a U.S. cyber-response in foreign networks, one military official said. "Iran," the official said, "is not dumb. When you cross that threshold, you're going to have to expect something to come at you very hard."
In the end, it was the adversary who eventually decided in the spring of 2013 to curtail the assaults, part of what analysts say was a general curbing of provocative behavior in a period in which Iran was involved in nuclear talks with the West and gearing up for presidential elections.
"It was the progress in the nuclear talks ... and promises of changes in sanctions that changed Iran's behavior," said James A. Lewis, a senior fellow at the Center for Strategic and International Studies.
It was never clear whether Iran wanted to send a message or do actual harm, intelligence officials say. But they knew that Iran had the potential to do harm.
"It was clear that if they had chosen at various moments to aim all their capabilities down a narrow pipe, they would have succeeded in bringing the networks down," the second former official said.