Virtual Event Today: Cyber AI & Automation Summit - Register/Login Now
Connect with us

Hi, what are you looking for?



VMware’s Head of Cybersecurity Strategy Discusses Modern Bank Heists

Digital Bank Heists – Because That’s Where the Money Is Today

Digital Bank Heists – Because That’s Where the Money Is Today

The financial sector is in the crosshairs of criminal cartels and nation-state actors. Criminals seek a lucrative market, and nation-states treat profit as a form of sanctions-busting. 

With the high volume of Russian-speaking gangs and the current sanctions against the Russian state, this makes Russia a major threat to financial institutions – albeit not the only one.

Modern Bank Heists 5.0 (PDF) is the fifth iteration of an annual report on security in the finance sector written by Tom Kellermann, head of cybersecurity strategy at VMware. Kellermann has a keen interest in the subject since writing the first book on finance and security, Electronic Safety and Soundness, Securing Finance in a New Age, back in 2005. This report focuses on the current opinions and experience of the industry’s top CISOs and security leaders.

There are six primary takeaways from the respondents to the report: increasing destructive attacks (up 14 points to 63%); attacks targeting market strategies (66%); a high level of ransomware attacks (74% – 63% of which were paid); concern over the security of cryptocurrency exchanges (83%); a large increase in island hopping attacks (60%, up from 2% last year): and a planned 20% to 30% increase in security spending.

Explaining the takeaways

Tom Kellermann, VMWareThe reason that financial institutions are under constant attack is simple: that’s where the money is today. The attackers comprise advanced criminal gangs (often part of a larger cartel) and nation states. The nation state attackers are particularly North Korean or Russian, where the proceeds are used to offset sanctions. “According to the World Economic Forum” Kellermann told SecurityWeek, “the proceeds associated with the dark web are more than $1 trillion per year – and I would estimate that more than 50% of that goes right back into the Russian economy.”

The complexity of the Russian threat comes from the connections between the criminal cartels and the Russian state agencies. Consider ransomware. “Most of the ransomware gangs are Russian speaking, which is why most ransomware won’t detonate on anything that has a Russian language package,” he said. “But in order to exist as a ransomware gang, typically part of a larger cybercrime cartel, you have to pay homage to the GRU [the foreign military intelligence agency of the General Staff of the Armed Forces of the Russian Federation] and the FSV [the Federal Security Service of the Russian Federation].”

The way you do that is to share your information – or more specifically, access to the RAT you left behind. And if called upon to be patriotic, you may be called upon to be more destructive in your endeavors within the financial institutions. ‘Destructive’ in the finance sector, does not mean the deployment of a wiper to destroy systems, but manipulation of the data to make it wrong or worthless. 

Advertisement. Scroll to continue reading.

“The Russian government doesn’t want to take down the financial sector, because they are regularly robbing it to offset economic sanctions,” explained Kellermann. “What they will typically do is leverage destructive attacks as part of counter incident response when they realize that law enforcement has become involved.”

While ransomware is up this year, it doesn’t represent the primary source of income for the criminals. This comes from market manipulation through the abuse of stolen financial information. “Imagine,” Kellermann told SecurityWeek, “if you knew what the UBS position would be on the international currency exchanges, and if you could take that position before UBS took that position – imagine how wealthy you could become.”

Financial acumen might help with malicious digital insider trading, but it is far from necessary. “Understand that non-public market information is worth more than money,” he said. “As long as they have a portfolio and a relationship with a rogue financial institution – that may be connected to the regime – you can benefit from understanding non-public market information.”

A simple way of getting this information is to target the laptops used by the people that manage the portfolios and market strategies of the financial institutions. Criminals can spy on them until they see a major position about to be taken, or find a presentation that will be made to the senior management.

“Part of the problem,” said Kellermann, “is that within a financial institution there’s always a surveillance department that conducts traditional surveillance for regulatory compliance on everyone who conducts finance. But there is a disconnect between the surveillance department and the cybersecurity department. The surveillance department is looking for a traditional insider threat rather than a digital insider threat. Tom might not have been a threat, but there was something on his machine that was a threat.”

One of the biggest year-on-year changes noted by the report is the growth of what Kellermann calls island hopping from 2% to 60%. Kellermann prefers ‘island hopping’ to ‘supply chain’ because in the finance sector there is no clearly defined end target – each hop opens multiple new possibilities, and the criminals don’t stop hopping. At the same time, the largest single concern, at 83% of the respondents, is the security of cryptocurrency exchanges. The two issues are related.

The concern over cryptocurrency exchange security is not because they are financial institutions, but precisely because, in the technical sense, they are not a financial institution. In short, they are not controlled or regulated in the same way as official financial institutions. “The security of crypto exchanges is minimal because of an over-reliance on the security of blockchains – which is a fallacy,” said Kellermann. “Many of these exchanges understand that they’re complicit in the laundering of cybercriminal proceeds, and they just turn a blind eye to it because they don’t have any reporting requirements.”

But at the same time, the financial institutions are moving to fintech through digital transformation. “The financial institutions are trying to become part of the new digital world – they’re partnering with these exchanges and virtual currencies to facilitate adoption and greater liquidity for proceeds from retail customers.” Where this becomes interesting and potentially damaging is in the use of APIs between the two organizations, and the ongoing surge in API attacks. As a result, the poor security posture of a crypto exchange could lead to island hopping via an API into the financial institution.

“God forbid you get in bed with the wrong exchange,” said Kellermann. “You could become a victim of cybercrime and worse because of the nature of that digital feature that exists between you and the exchange.”

The way forward

Kellermann notes that 80% of the CISOs at financial institutions still report to the CIO. He believes this is a mistake. “If there was ever an industry that necessitates the CISO to be more significant than the CIO, it is finance,” he told SecurityWeek. “There is a conflict of interest for a CIO to be managing a CISO in the financial sector. The charter of financial institutions is safety and soundness and trust and confidence. But in the age of digital transformation for financial institutions, the CIO will inherently increase the attack surface. The CISO is more concerned with risk management – and risk management should be the dominant paradigm in finance.”

He points to CISA’s Shields Up guidance, where the need to empower CISOs is the top recommendation for corporate leaders and CEOs to better protect their organizations. “The current standards of cybersecurity in the financial sector are not taking into account how evolved and organized the cybercrime cartels have become,” he said. That needs to change.

Related: Financial Sector Remains Most Targeted by Threat Actors: IBM

Related: Financial Industry Insiders Put the Keys to the Kingdom at Risk

Related: Cyber Kill Chain Reimagined: Industry Veteran Proposes “Cognitive Attack Loop”

Related: VMware Completes $2.1 Billion Acquisition of Carbon Black

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...