Financial institutions have long been an attractive target for threat actors due to the information they hold, their role as part of critical national infrastructure and their often global presence. It’s natural to think that their adversaries are all financially motivated, but many are not. In 2016 we saw drivers like hacktivism, ideological differences and intelligence gathering also motivating attacks.
In order to better defend against financially- and non-financially motivated attacks, we must continually strive to understand the threats and the actors behind them. Let’s take a closer look at some of the newer threats and tactics, techniques and procedures (TTPs) that security professionals in the financial services sector should know about to assess digital risk and better align security strategies in 2017.
Financially-motivated attacks
Extortion. In the last year we saw multiple DDoS-based extortion attempts including DD4BC, the Armada Collective and copycat actors, Kadyrovtsy and vimproducts. In a relatively new twist, extortion actors are attempting to bribe both the institution and its customers, gaining a potential second revenue stream. This was the case following the reported compromise of Valartis Bank in Liechtenstein in 2016, where customers were approached and offered an opportunity to remove their data from any that was leaked.
Ransomware. Spam emails, malicious attachments and exploit kits such as RIG or Sundown, are likely to remain viable delivery methods for ransomware in 2017. However, we also expect to see more copycats and more targeted delivery methods, prompted largely by the success rate of variants such as SamSam. A rise in Ransomware-as-a-service models will make it easier for these types of attacks to proliferate.
Targeted intrusions. Throughout 2016, a relatively large number of network intrusions targeting the financial services and banking sector were reported, including several major thefts. We can expect that bad actors will continue to exploit bank networks in order to affect fraudulent transfers, theft of sensitive data from corporate networks, the deployment of point-of-sale (PoS) malware, and intrusions to enable a mule team to physically steal cash from ATMs.
Business Email Compromise (BEC). Criminal actors have continued to employ typosquatted domains and compromised legitimate email accounts in order to engage in BEC based fraud. While the majority of these attacks did not target the financial services sector, losses for the Tillage Commodities Fund and Pomeroy Investment Corp indicate the financial services sector should remain vigilant.
Banking Trojans. I recently covered this topic in detail as a surge in banking trojan variants is catching many by surprise. We can expect to see continued activity by TrickBot, GozNym and Panda. As banking trojans evolve we will see them adopt increasingly complex techniques, spread to new regions, and incorporate new languages.
Non-financially motivated attacks
Hacktivism. Anti-establishment, anti-corruption, religion, environmental concerns or perceptions of human rights abuses are the typical drivers cited by hacktivists. In 2016, attacks from these actors typically included DDoS attempts, defacement and data leakage against the websites of companies or organizations. Target lists frequently identified banks or other organizations within the financial sector that were considered responsible for financing activities, for example in the case of the organizers behind OpNoDAPL, online attacks in reaction to construction of the Dakota Access Pipeline (DAPL). Based on this model, the financial services sector will continue to remain a target.
Ideologically-driven insiders. The most notable example in 2016 was the “Panama Papers” data breach that detailed financial and attorney-client information for more than 210,000 offshore entities. The whistleblower, known only as “John Doe,” cited income inequality as his motivation for disclosing the data. As long as there are perceptions of financial institutions being involved in corruption or malfeasance, and the assurance of anonymity for the whistleblower, the threat of an ideologically-motivated insider disclosing sensitive corporate information to the public is likely to remain.
Intelligence gathering. Multiple cyber-espionage campaigns targeting the financial services industry were detected in 2016 including the Patchwork (aka, Dropping Elephant) and OilRig campaigns. In these types of operations, actors seek obscurity to maintain the persistence necessary to fulfill their intelligence gathering requirements. Financial institutions are targeted as a means of collecting strategic or economic intelligence on a rival nation. Information gathering tools are in constant development and social engineering and spear-phishing will likely continue to remain the most successful vectors of attacks.
Whatever the motivation, successful attacks can have widespread and damaging impact for not only the financial institution but customers, industries and nations at large. It’s clear that financial services firms must continue their quest for better threat protection and risk mitigation. By understanding which malicious actors may target an institution, why, and their methods of attack, financial institutions can gain insights into how to focus their security resources and reduce their digital risk.
