Merging company

The financial sector remains a prime target for cybercriminals

Financial institutions continue to be targeted by hackers around the world, many of whom are primarily interested in extorting ransom money. Because of their financial power and their networking, these types of institutions therefore constitute an interesting target. When it comes to defending against attacks, whether eavesdropping or ransomware, the better known attackers’ strategies are, the more effectively they can be parried. Mandiant’s Last M-Trends 2022 The report, based on frontline investigations and remediation of high-impact cyberattacks around the world, confirms that business and professional services and the financial sector were the most frequent targets of cyberattackers throughout 2021 (14% each). We continue to see these same industries targeted across the globe every year. The two main reasons: advanced digital transformation and increasingly important connectivity. These factors increase the threat landscape, and the more the financial industry’s internal IT networks are intertwined, the more vulnerable they become to attack from the outside. The good news is that by fully understanding the latest information about potential attackers and the techniques, tactics, and procedures they use, security managers can tackle the problem head-on.

Cybersecurity has become a C-level business
In recent years, the focus of many hacker groups has shifted. Especially in the financial sector, they most often use ransomware. After gaining access to an organization’s computer networks, they encrypt important data or entire systems and take them “hostage”. Subsequently, the institutions concerned receive a ransom demand. In the past, these ransomware attacks were often the result of malware spamming, i.e. the mass distribution of malware, but now a new pattern can be identified: attacks targeted at carefully selected institutions are sometimes prepared for months.

This changes the way finance organizations should approach the issue. It is no longer a random and singular event when targeted by cybercriminals. It is rather a strategic problem. As a result, accountability in institutions is also changing: cybersecurity is not only an issue for IT, but also for senior management up to the board of directors and the supervisory board.

The most important threats to the financial sector
Again, the tried and true rule applies to threat prevention: know your enemies better than they know themselves. Although cybercriminals regularly change their tactics, it is always possible to identify very specific patterns. Those familiar with these patterns, for example relying on threat intelligence expertise, i.e. knowledge of attackers’ modus operandi, can prioritize the right things and pull the right levers to protect their networks from the biggest threats.

Attack tactic number one: ransomware attacks are on the rise
Financially motivated attacks continued to represent a high proportion of attacks in 2021, similar to previous years. According to our report, 3 out of 10 attacks were for monetary gain. This involved methods such as extortion, ransom, stealing payment cards and illicit transfers. Hackers take a long time to prepare for ransomware attacks. They often move through their victims’ networks unnoticed for a long time until they finally strike. They know the systems in detail and identify the areas of the network essential to the survival of the organization and whose manipulation is particularly painful. The ransom can be high accordingly, and we have seen these extortion fees increase significantly year on year recently. Sometimes hackers also look for insiders within the organization to give them access.

Jamie Collier, Senior Threat Intelligence Advisor, Mandiant

We are also seeing an increase in the number of specialized hacker groups banding together to make the most of their respective strengths and carry out even more complex attacks, such as supply chain breaches. This cooperation can become a problem if the individual groups fight each other even though the ransom has already been paid. Do not expect honor among thieves: sometimes the promised disclosure of the stolen data does not take place and the extorted institution becomes the collateral damage of an internal conflict of hackers.

Multifaceted extortion attempts damage the reputation of credit institutions
Another trend is that ransomware attacks are increasingly planned as multifaceted extortion attempts. Encrypting important systems is only the first step in the attack. The second stage is the threat to publish secret information. This leads to strategic significance for the blackmailed institution: if hackers directly alert the press and public to the fact that they are in possession of important information that is also compromising for the institution’s clients, with the potential to cause lasting damage to its reputation. Announcing the disclosure of sensitive information can be more dangerous than a quietly managed extortion. Here, financial companies must then face an interdisciplinary defense battle that includes not only the IT department and the board of directors, but also the public relations and the legal department, among others.

Other tactics: from zero-day exploits to web skimming
In addition to ransomware attacks, different hacker groups often use the following attacks when seeking to target the financial industry:
• Zero-day exploits are usually very simple security vulnerabilities in software, but the organization is not yet aware of them and therefore there is no patch or update for them. Hackers use their knowledge advantage to infiltrate malware into the network through the vulnerability. Chinese hacker groups in particular have repeatedly exploited these vulnerabilities in the past, even to penetrate the networks of government organizations.
• Supply chain attacks are one of the new trends. The increasing specialization of attackers and the merging of groups of individual hackers with different skills have opened up new opportunities for them. Instead of attacking a bank, for example, a company whose software is used by the greatest number of credit institutions is infiltrated. The hacker then enters many other institutions through this supply chain. You could say that instead of getting a company’s key, hackers steal the master key. A well-known example occurred in late 2020: the intrusion by suspected Russian hackers into several government and corporate networks via a backdoor in software from IT company SolarWinds.
• In the case of web skimming, hackers hijack customers’ payment details from online stores or payment sites and then steal money from them. This is usually done via a supply chain attack, where the malicious code is executed on the e-commerce merchant’s website via a previously infiltrated third-party vendor. The bank data of their customers being thus stolen, the credit institutions themselves are also affected by this attack.
• Cryptocurrency theft appeals to hackers in two ways: they steal the currency to get rich, but they also use the hard-to-trace movements of cryptocurrencies to launder money with it. The victims of these thefts are not only the owners of Bitcoin, Ethereum and Co. but also their issuers.

Countermeasures and conclusion: credit institutions can defend themselves
Hackers often attack computer systems in several phases. They have to locate an entry point, find the right subsystems, steal and encrypt data, introduce malware, and only then can they strike the big blow. These stages can be called the “attack life cycle”. To intercept attacks of different phases, the counter-response must also be multi-staged. For example, by equipping the networks with different barriers that prevent hackers from triggering the next stage of their attack plan. This is possible, for example, by means of a systematic risk assessment of the bank’s IT infrastructure and the subsequent installation of individually selected cybersecurity solutions. Knowing how active hacker groups operate onsite allows IT security specialists to better immunize financial organizations against infiltrating malware and empower them to protect their systems. By bringing in outside experts, security managers can ensure that they test these systems and gain the know-how they need to counter an increasingly sophisticated threat.

This not only has a technical advantage, but also a significant psychological one: credit institutions are then no longer victims, but active players who strengthen their cyber-resilience and durably protect their sensitive data – and that of their customers.

Jamie Collier is the Senior Threat Intelligence Advisor at Mandiant

Read: Google to acquire cybersecurity firm Mandiant for $5.4 billion