Insights: The financial sector remains a popular target for cybercriminals

Financial institutions continue to be targeted by hackers around the world, many of whom primarily want to extort ransom money. Due to their financial power and networking, these kinds of institutions are therefore a worthwhile target. When it comes to defending against attacks, whether it’s espionage or ransomware, the better the attackers’ strategies are known, the more effectively they can be warded off. Mandiant’s latest M-Trends 2022 report, based on frontline investigations and remediations of high-impact cyber-attacks worldwide, confirms that commercial and professional services and the financial sector were the most frequent targets of cyber attackers throughout 2021 (14 per cent each). We continue to see these same industries targeted across the globe every year. The top two reasons: advanced digital transformation and increasingly important connectivity. These factors increase the threat landscape, and the more intertwined the financial sector’s internal computer networks are, the more vulnerable they become to attacks from outside. The good news is that by understanding the latest information about potential attackers in detail and the techniques, tactics and procedures they use, security leaders can tackle the problem head on.

Cybersecurity has become a C-level matter
In recent years, the focus of many hacker groups has shifted. Especially in the financial sector, they use ransomware most frequently. After gaining access to an organization’s computer networks, they encrypt important data or entire systems and take them “hostage.” Subsequently, the affected institutions receive a ransom demand. In the past, such ransomware attacks were often the result of malware spamming, i.e., the mass distribution of malware, but now a new pattern can be identified: targeted attacks on carefully selected institutions are sometimes prepared for months.

This is changing the way financial organisations should look at the issue. It is no longer a random, singular event when they are targeted by cyber criminals. Rather, it is a strategic problem. As a result, the responsibility in institutions is also changing: Cyber security is not only an issue for the IT department, but also for top executives up to the board of directors and supervisory board level.

The most important threats for the financial sector
Once again, the tried-and-true rule applies to threat prevention: know your enemies better than they know themselves. While cyber criminals change their tactics regularly, it is still possible to identify very specific patterns. Those who know these patterns, for example by drawing on threat intelligence expertise, i.e., knowledge of attackers’ modus operandi, can prioritise on the right things and pull the right levers to protect their networks from the biggest threats.

Attack tactic number one: Ransomware attacks on the rise
Financially motivated attacks continued to account for a high proportion of attacks in 2021, as in previous years. According to our report – 3 out of 10 attacks sought monetary gain. This involved methods such as extortion, ransom, payment card theft, and illicit transfers. Hackers take a long time to prepare for ransomware attacks. They often move around their victims’ networks unnoticed for a long time until they finally strike. They get to know the systems in detail and identify the network areas that are vital to the organisation’s survival and whose manipulation is particularly painful. The ransom can be correspondingly high, and we’ve seen these extortion fees rising dramatically year on year recently. At times, hackers also seek out insiders from within the organisation to give them access.

We’re also seeing an increase in specialised hacker groups banding together to take maximum advantage of their respective strengths and carry out even more complex attacks too, such as supply chain compromises. This cooperation can become a problem if the individual groups fight even though the ransom has already been paid. We should not expect honor among thieves: sometimes the promised release of the stolen data doesn’t take place and the extorted institution becomes the collateral damage of an internal hacker conflict.

Multifaceted extortion attempts damage the reputation of credit institutions
Another trend is that ransomware attacks are increasingly being planned as multifaceted extortion attempts. Encrypting important systems is only the first stage of the attack. The second stage is the threat to publish secret information. This leads to a strategic significance for the blackmailed institution: if hackers directly alert the press and the public to the fact that they are in possession of important information that is also compromising for the institution’s customers, with the potential to cause lasting damage to its reputation. Announcing the disclosure of sensitive information can be more dangerous than a discreetly handled extortion. Here, financial companies then have to deal with an interdisciplinary defense battle that includes not only the IT department and the board of directors, but also public relations and the legal department, amongst others.

Other tactics: from zero-day exploits to web skimming
Apart from ransomware attacks, different hacker groups often use the following attacks when looking to target the financial sector:
• Zero-day exploits are usually very simple security vulnerabilities in software, but the organisation is not yet aware of them and therefore there is no patch or update for them. Hackers use their knowledge advantage to infiltrate malware into the network via the vulnerability. Chinese hacker groups in particular have repeatedly exploited such vulnerabilities in the past, even to penetrate networks of government organisations.
• Supply chain attacks are one of the newer trends. The increasing specialisation of attackers and the merging of individual hacker groups with different skills have opened up new opportunities for them. Instead of attacking a bank, for example, a company whose software is used by as many credit institutions as possible is infiltrated. The hacker then penetrates many other institutions via this supply chain. You could say that instead of getting the key to one company, the hackers steal the master key. One well-known example came at the end of 2020: the break-in by suspected Russian hackers into several government and corporate networks via a backdoor in the software of the IT company SolarWinds.
• In web skimming, hackers phish customers’ payment details from web stores or payment sites and then steal money from them. This is usually done via a supply chain attack, where the malicious code is executed on the e-commerce merchant’s website via a previously infiltrated third-party vendor. Since their customers’ banking data is stolen in this way, the credit institutions themselves are also affected by this attack.
• The theft of cryptocurrencies is interesting to hackers in two ways: they steal the currency to enrich themselves, but they also use the hard-to-trace movements of cryptocurrencies to launder money with it. The victims of these thefts are not only owners of Bitcoin, Ethereum and Co. but also their issuers.

Countermeasures and conclusion: Credit institutions can defend themselves
Hackers often attack computer systems in several phases. They need to locate an entry point, find the right subsystems, steal and encrypt data, introduce malware, and only then can they strike the big blow. These steps can be called the “attack lifecycle.” To intercept the attacks of the different phases, the counter-response should also be multi-stage. For example, by providing the networks with different barriers that prevent the hackers from igniting the next stage of their attack plan. This is possible, for example, by means of a systematic risk assessment of the bank’s own IT infrastructure and the subsequent installation of individually selected cyber security solutions. Knowing how active hacker groups operate on the scene enables IT security specialists to better immunise financial organisations against infiltrated malware – and empower them to protect their systems. By bringing in external experts, security leaders can ensure that they are testing those systems and getting the know-how they need to counter an increasingly sophisticated threat.

This has not only a technical benefit, but also an important psychological one: Credit institutions are then no longer victims, but active players who strengthen their cyber resilience and sustainably protect their sensitive data – and that of their customers.

Jamie Collier is the senior threat intelligence advisor at Mandiant

Read: Google to acquire cybersecurity firm Mandiant for $5.4bn