Nation States Targeting Banks as Cyber Threat Evolves

Attacks linked to the Iranian and North Korean governments that have specifically targeted financial institutions show that banks are increasingly becoming targets in disputes that stem from political actions, said William Carter, deputy director of the technology policy program at the Center for Strategic International Strategies.

“We saw a really significant moment in 2011 to 2013, when the Iranian government started launching the Operation Ababil distributed denial-of-service (DDoS) attacks on banks in the United States,” Carter said. “It was one of the largest coordinated DDoS campaigns ever, and it was one of the first instances of a nation-state systematically targeting a private-sector institution to cause damage and disruption. It was a very significant moment.”

Institutions targeted in the attacks, which forced services offline for many institutions, included tier-one US banks and national stock exchanges.

“If you’re talking about a change that should make every financial institution absolutely terrified, that should be it,” he continued.

Carter was presenting the results of research published on October 2, in a session during the 2017 Sibos conference, held in Toronto.

“North Korea is really the only one we’ve seen doing it at scale for financial gain thus far, but one interesting thing is that there are about 150 countries with less GDP than North Korea, and more connectivity. If any of them are inspired by North Korea and think, ‘Hey, I could use some government revenue, this seems relatively easy,’ it actually can be done,” Carter said.

He referenced the DarkSeoul campaign by North Korea against Republic of Korea banks, which also introduced a new element into ongoing cyber-attacks launched by both nation states and criminal organizations, including the Carbanak Gang, which is alleged to have stolen between $500 million and $1 billion from financial institutions and customers through sophisticated phishing and infiltration campaigns.

The interesting thing about DarkSeoul, Carter said, is that “none of the malware was original.”

“It was all adaptations of malware that had been used in previous attacks, including much of the original code—since modified multiple times—that was created by Western intelligence agencies to use against countries like Iran, North Korea and each other,” he said.

This highlights the fact that criminal gangs, as well as nation states, are increasingly using tools at the same level of sophistication. Some of these even derived from Western intelligence agencies.

“That highlights a second point, which is that you’re starting to see groups like the Carbanak Gang launching a completely different level of attack,” he said. “There’s a couple of reasons for this, but an important one is that what were once nation-state-level capabilities are now available to criminals.”

Many of these attacks are still targeted at commercial banks. However, financial market infrastructures are increasingly being targeted by DDoS attacks and more sophisticated threats, Carter said, in response to a question from WatersTechnology.

“Financial market infrastructures are certainly being targeted, and one of the things that really scares, for example, major stock exchanges, is DDoS, because denial of access to your data is a real problem for them. Actually, the biggest threat they’re grappling with is data integrity. So, if you’re thinking about something like a stock market, you need to be able to trust the price that you’re being quoted, and trust the order flow, so they’re really concerned about that,” he said.