VMware’s Head of Cybersecurity Strategy Discusses Modern Bank Heists
Digital Bank Heists – Because That’s Where the Money Is Today
The financial sector is in the crosshairs of criminal cartels and nation-state actors. Criminals seek a lucrative market, and nation-states treat profit as a form of sanctions-busting.
With the high volume of Russian-speaking gangs and the current sanctions against the Russian state, this makes Russia a major threat to financial institutions – albeit not the only one.
Modern Bank Heists 5.0 (PDF) is the fifth iteration of an annual report on security in the finance sector written by Tom Kellermann, head of cybersecurity strategy at VMware. Kellermann has a keen interest in the subject since writing the first book on finance and security, Electronic Safety and Soundness, Securing Finance in a New Age, back in 2005. This report focuses on the current opinions and experience of the industry’s top CISOs and security leaders.
There are six primary takeaways from the respondents to the report: increasing destructive attacks (up 14 points to 63%); attacks targeting market strategies (66%); a high level of ransomware attacks (74% – 63% of which were paid); concern over the security of cryptocurrency exchanges (83%); a large increase in island hopping attacks (60%, up from 2% last year): and a planned 20% to 30% increase in security spending.
Explaining the takeaways
The reason that financial institutions are under constant attack is simple: that’s where the money is today. The attackers comprise advanced criminal gangs (often part of a larger cartel) and nation states. The nation state attackers are particularly North Korean or Russian, where the proceeds are used to offset sanctions. “According to the World Economic Forum” Kellermann told SecurityWeek, “the proceeds associated with the dark web are more than $1 trillion per year – and I would estimate that more than 50% of that goes right back into the Russian economy.”
The complexity of the Russian threat comes from the connections between the criminal cartels and the Russian state agencies. Consider ransomware. “Most of the ransomware gangs are Russian speaking, which is why most ransomware won’t detonate on anything that has a Russian language package,” he said. “But in order to exist as a ransomware gang, typically part of a larger cybercrime cartel, you have to pay homage to the GRU [the foreign military intelligence agency of the General Staff of the Armed Forces of the Russian Federation] and the FSV [the Federal Security Service of the Russian Federation].”
The way you do that is to share your information – or more specifically, access to the RAT you left behind. And if called upon to be patriotic, you may be called upon to be more destructive in your endeavors within the financial institutions. ‘Destructive’ in the finance sector, does not mean the deployment of a wiper to destroy systems, but manipulation of the data to make it wrong or worthless.
“The Russian government doesn’t want to take down the financial sector, because they are regularly robbing it to offset economic sanctions,” explained Kellermann. “What they will typically do is leverage destructive attacks as part of counter incident response when they realize that law enforcement has become involved.”
While ransomware is up this year, it doesn’t represent the primary source of income for the criminals. This comes from market manipulation through the abuse of stolen financial information. “Imagine,” Kellerman told SecurityWeek, “if you knew what the UBS position would be on the international currency exchanges, and if you could take that position before UBS took that position – imagine how wealthy you could become.”
Financial acumen might help with malicious digital insider trading, but it is far from necessary. “Understand that non-public market information is worth more than money,” he said. “As long as they have a portfolio and a relationship with a rogue financial institution – that may be connected to the regime – you can benefit from understanding non-public market information.”
A simple way of getting this information is to target the laptops used by the people that manage the portfolios and market strategies of the financial institutions. Criminals can spy on them until they see a major position about to be taken, or find a presentation that will be made to the senior management.
“Part of the problem,” said Kellermann, “is that within a financial institution there’s always a surveillance department that conducts traditional surveillance for regulatory compliance on everyone who conducts finance. But there is a disconnect between the surveillance department and the cybersecurity department. The surveillance department is looking for a traditional insider threat rather than a digital insider threat. Tom might not have been a threat, but there was something on his machine that was a threat.”
One of the biggest year-on-year changes noted by the report is the growth of what Kellermann calls island hopping from 2% to 60%. Kellermann prefers ‘island hopping’ to ‘supply chain’ because in the finance sector there is no clearly defined end target – each hop opens multiple new possibilities, and the criminals don’t stop hopping. At the same time, the largest single concern, at 83% of the respondents, is the security of cryptocurrency exchanges. The two issues are related.
The concern over cryptocurrency exchange security is not because they are financial institutions, but precisely because, in the technical sense, they are not a financial institution. In short, they are not controlled or regulated in the same way as official financial institutions. “The security of crypto exchanges is minimal because of an over-reliance on the security of blockchains – which is a fallacy,” said Kellermann. “Many of these exchanges understand that they’re complicit in the laundering of cybercriminal proceeds, and they just turn a blind eye to it because they don’t have any reporting requirements.”
But at the same time, the financial institutions are moving to fintech through digital transformation. “The financial institutions are trying to become part of the new digital world – they’re partnering with these exchanges and virtual currencies to facilitate adoption and greater liquidity for proceeds from retail customers.” Where this becomes interesting and potentially damaging is in the use of APIs between the two organizations, and the ongoing surge in API attacks. As a result, the poor security posture of a crypto exchange could lead to island hopping via an API into the financial institution.
“God forbid you get in bed with the wrong exchange,” said Kellermann. “You could become a victim of cybercrime and worse because of the nature of that digital feature that exists between you and the exchange.”
The way forward
Kellermann notes that 80% of the CISOs at financial institutions still report to the CIO. He believes this is a mistake. “If there was ever an industry that necessitates the CISO to be more significant than the CIO, it is finance,” he told SecurityWeek. “There is a conflict of interest for a CIO to be managing a CISO in the financial sector. The charter of financial institutions is safety and soundness and trust and confidence. But in the age of digital transformation for financial institutions, the CIO will inherently increase the attack surface. The CISO is more concerned with risk management – and risk management should be the dominant paradigm in finance.”
He points to CISA’s Shields Up guidance, where the need to empower CISOs is the top recommendation for corporate leaders and CEOs to better protect their organizations. “The current standards of cybersecurity in the financial sector are not taking into account how evolved and organized the cybercrime cartels have become,” he said. That needs to change.