Financial Sector Cyber-Attacks: The Ever-Evolving Threat

By Paul Prudhomme, Cyber Threat Intelligence Advisor at  IntSights.

The banking and financial services industry is under increasing threat from cyber-attacks, particularly from North Korean state-sponsored threat actors and sophisticated Russian criminals. Set against a backdrop of constantly evolving techniques, financial firms must stay ahead of the game,

The impact of a cyber-attack on a financial sector organisation can be devastating. Take the example of Equifax, the firm breached in 2017 in one of the largest cyber-attacks of all time. The cyber-assault saw hackers steal sensitive data including social security numbers, hitting Equifax’s reputation and resulting in hefty regulatory fines and class action lawsuits.

The data stored by financial organisations – including bank account and credit card numbers – is extremely valuable. It’s therefore no surprise that this sector is an increasing target for cyber criminals, including Russia, which has some of the most sophisticated criminals, and North Korea, whose government is unique in sponsoring criminal attacks on banks as a source of revenue.

State-sponsored adversaries may also target the financial sector because, like oil and gas companies and utilities, these institutions are a part of a country’s critical national infrastructure. If hackers can halt the stock exchange – as they did in New Zealand in 2020  – they can create the chaos and fear that fuels their ultimate hybrid warfare aims.  State-sponsored Iranian threat actors also disrupted the websites of U.S. banks in a distributed denial of service (DDoS) campaign in 2012-2013 in retaliation for the implementation of sanctions against the Iranian financial sector due to Iran’s nuclear program.

In response to this growing threat, the financial sector is creating proactive measures such as security protocols to thwart attempted cyber attacks. Yet all too often, the volume and velocity with which threat actors are developing new tactics, techniques, and procedures (TTPs) still allows them to succeed in their attacks.

The cyber threat landscape of the banking sector is in constant flux. So, what are the most common attack vectors and methods deployed by cyber-criminals against banks and other financial institutions today?

Fraud on a grand scale

Cyber criminals historically focused on fraudulent transactions via stolen payment card information or online banking credentials purchased in underground black markets.

But attackers are now growing more sophisticated, targeting the bank networks themselves in order to enable fraud on a grand scale. Their goal: To breach bank networks and move laterally to gain access to systems, such as SWIFT terminals or servers that support ATMs.

One of the most prevalent adversaries in this area is state-sponsored North Korean Lazarus Group. The group, whose aim is to raise revenue for the financially isolated North Korean government, was a pioneer of this more ambitious approach in its fraudulent use of compromised SWIFT access.

Other cyber criminals including sophisticated Russian-speaking hackers have followed suit and targeted different internal banking systems in a bid to enable large-scale fraud in other ways.

Paul Prudhomme

For example, MoneyTaker targeted the Automated Workstation Client of the Central Bank of Russia (AWS CBR), a SWIFT-like interbank payment system, in a similar manner.

MoneyTaker also targeted card processing systems within banks to enable fraudulent card transactions that the attackers controlled by changing or removing withdrawal and overdraft limits.

Online payment card fraud is another area of growth. This type of attack replaces in-person fraud following the 2015 introduction of EMV chips in the US to prevent the cloning of compromised cards.

Digital card skimmers

Digital card skimmers have become an increasing avenue of attack, taking aim at online commerce rather than the physical point of sale systems more commonly targeted in the past.

Ticketmaster and British Airways are just two of the firms that have fallen victim to the now infamous Magecart hackers, who planted malicious code in the companies’ payment pages to steal customer details, including card CVVs.

The risk of online based cyber attacks has increased further during Covid-19 as people rely on e-commerce rather than high street shopping.

New banking Trojans

Banking Trojans have been around for a while, but they are becoming more sophisticated to inflict more damage upon victims via new functionality beyond their primary purpose.

For example, two of the most prolific Windows banking Trojans in recent years Emotet and TrickBot, expanded their functionality to the point that the compromise of online banking credentials was arguably no longer their core function.  In fact, Emotet and TrickBot have often served as downloaders for other types of criminal malware, particularly ransomware. This type of malware, which locks systems in exchange for a ransom, is sometimes deployed by attackers after they have collected online banking credentials and other information they can monetise.  Emotet was the target of a recent international law enforcement operation to take down its infrastructure, which could lead to its demise in the long-term.

Mobile banking Trojans have become important for two reasons. First, the widespread adoption of banking apps makes mobile devices an equally, or even more important target for attackers that seek to compromise online banking credentials.

Secondly, adversaries are looking to take advantage of the fact that two-factor authentication (2FA) for online banking logins relies on mobile devices, via either SMS or authentication apps.

Compromising mobile devices with banking Trojans can therefore facilitate attacks on online banking credentials by enabling 2FA bypasses. Indeed, SMS intercept functionality is typical of mobile banking Trojans, and some even have the ability to collect 2FA codes from authentication apps.

A proactive approach

As the threat to the financial sector increases, with North Korean and Russian adversaries operating with impunity, it’s often said that security is a constant game of cat and mouse. That is why it’s integral to take a proactive approach to threat detection and prevention.

Financial sector attacks focus on lateral movement within bank networks to the most sensitive systems that can enable large-scale fraud, such as SWIFT terminals, ATM servers, and card processing systems.

It is with this in mind that network defenders should aim to reduce opportunities for lateral movement within their networks. This can be done through network segmentation and heightened security measures for the most financially sensitive systems.

As part of this, firms need to apply stringent authentication for financially sensitive systems and tools that could enable large-scale fraud in the event of a compromise.

Another key factor in staying ahead of attackers is cyber threat intelligence – knowing your enemy and its TTPs – which equips security practitioners with the knowledge they need to protect their organisations.

Threat intelligence works because it’s sector-specific and based on data unique to organisations and the vertical at large. This empowers financial sector institutions to act swiftly in response to emerging threats and shut them down before they evolve into fully-fledged cyber attacks.