The Rise of sTaTe-sponsoRed aTTacks againsT The financial seRvices indusTRy
ReseaRch RepoRT
Threat Intel l igence Real ized.
2
ReseaRch RepoRTinTsighTs
inTRoducTionSince the days of the Wild West banks and financial institutions have come to realize that their main threats
are crime groups. Today, even as crime has moved into cyberspace, most financial institutions still believe
these crime groups are their primary adversaries, as well as believing that their threat landscape has remained
the same. The main reason for this lies in a simple equation: crime groups like money, and banks have it.
But over the past few years we have started to see a change in the landscape, as banks and financial
institutions have become targets for state-sponsored APT groups. These state-sponsored actors receive
direction, funding, or technical assistance from a nation-state to advance that nation’s interests. Instead
of being motivated by money, they prefer to steal, and exfiltrate, intellectual property, sensitive personally
identifying information (PII), and military and financial secrets.
Before the Internet, it was extremely difficult for another country to attack banks or financial institutions. But
as the cyberworld has emerged, it’s put the private sector within reach of nation-state attackers, and it’s
changing the landscape for how companies must defend against these threats. In this report we will explore
the reasons for such a shift, ranging from pure financial gains of common criminals to highly sophisticated
and well-equipped APT groups and what they gain besides money.
The Rise of State-Sponsored Attacks Against the Financial Services Industry
3
The fasTesT gRowing ThReaT:sTaTe-sponsoRed cybeRcRimeIt’s not just governments that are feeling the disastrous effects of state-sponsored cyber warfare and crime.
Recent discoveries have revealed the existence of, and details on, several government-sponsored hacking
groups around the globe. While most state-sponsored APT groups target other governments and militaries for
intelligence collection, in the last few years, we are starting to see more activity directed towards the financial
sector. In fact, the financial sector is every bit as at risk, and often don’t have the same level of defenses in
place that governments can afford.
Although banks and other financial institutions are private businesses, state-sponsored APT groups still see
them as symbols that represent the country, and attacking them serves the interests of their sponsored
country.
RecenT aTTacks againsT The financialseRvices indusTRyFinancial cyberattacks are not a novelty. The moment they had the capabilities, governments around the
world started using cyberspace for intelligence gathering and espionage. As access extended to the general
population, people started hacking, forming groups and developed more sophisticated attack methods.
Attributing attacks to any specific group or state is very difficult, and usually based on allegation rather than
proven evidence. Hacking groups are modular and separated into specialized divisions, with each department
responsible for a different side of the operation. Security companies will come up with a name for groups and
incidents, the groups don’t necessarily refer to themselves that way. No country has come forward and said
“We did this, those are our guys”, with the exception of non-state sponsored groups and hacktivists.
As a result, the conclusions made by researchers come from correlations between the tools used, similar
techniques and strategies, and analyzing digital footprints. While it’s usually hard to prove state-sponsored
involvement in a cyber attack, there are a few examples where we can connect an attack to a nation-state.
inTsighTs
The Rise of State-Sponsored Attacks Against the Financial Services Industry
ReseaRch RepoRT
See the appendix for a timeline and overview of recent attacks (both cybercrime and state-sponsored) against financial organizations.
4
caRbanak connecTion To The Russian fsbSince 2013, Carbanak APT (named for backdoor Carbanak, an evolution of Carberp) is a Russian-based
criminal group that is responsible for the theft of over $1 billion dollars worldwide. There is no evidence
of ties to the Russian government except for one episode in 2015. As reported by Trend Micro, one of the
Carbanak Trojan’s command and control servers – domain systemsvc.net (Figure 1) - began to resolve to the
IP address 213.24.76.23 (Figure 2). This IP number is under ASN AS8342 RTCOMM-AS OJSC RTComm.ru
and its location – Moscow, Federal Security Service of Russian Federation (Figure 3). It’s hard to believe that
the Federal Security Service would point a malicious domain to an IP connected to the FSB. It is possible that
the owner of the domain did it as a prank. It still might be a case of gross negligence.
inTsighTs
The Rise of State-Sponsored Attacks Against the Financial Services Industry
Figure 1
Figure 3
Federal Security Service of Russian Federation
Figure 4
Figure 2
ReseaRch RepoRT
5
The anaTomy of a sTaTe-sponsoRed apT gRoup aTTackThe modus operandi of state-sponsored APT groups is not very different from those of cyber criminals looking
for financial gain. In most cases, it involves phishing campaigns to try and trick people into logging onto
their online bank accounts and, in doing so, giving up their credentials. Attackers develop viruses and bots
that delivered remote access and administrative tools to the victim’s computers, allowing the bot masters
to harvest all the data. National intelligence services began to employ many of the tools and techniques
those early criminals developed to use the Internet as a conduit for advancing their intelligence-gathering
capabilities. In a state-sponsored APT group attack, the intruders break into a network, implant advanced
malware, and sustain an indiscernible presence until they are able to siphon off the targeted data. Typically,
an APT involves the following phases:
1. Target Selection: State-sponsored APT groups usually choose their specific target based on their needs and based on how it will serve their national interests.
2. Reconnaissance and Intelligence Gathering: Once the target is identified, the APT group will research them as if they were doing a Ph.D., and use various surveying tools to create a blueprint of the target’s IT infrastructure. This involves mapping their sites, network topology, domain, internal DNS and DHCP servers, internal IP address ranges, and any other exploitable ports or services.
3. Malware Engineering / Ammunition / Preparing for the Attack: As in any military operation, the attacking forces prepare their arsenal of tools, which in this case, is usually malware and methods based on the target’s weakness.
4. Initial Attack: The attackers usually phish their target company’s employees into downloading the malware. Alternatively, they might exploit any zero-day vulnerabilities for software used by employees.
5. Gaining Admin Access: In almost all cases, the hackers attempt to steal the local administrator credentials of the victim’s computer (and eventually steal domain-level admin credentials), since some of their malware requires admin-level operational context.
6. Expansion of Compromised Access: In most cyberattacks, threat actors would prefer to compromise more systems and users in order to maximize their success rate in harvesting the target data.
7. Covering Their Tracks: Once the threat actors accomplish their goal and the attack objectives, they will make sure not to leave any telltale signs of their covert operation. In some cases, the threat actor will try to leave an open backdoor for future use.
inTsighTs
The Rise of State-Sponsored Attacks Against the Financial Services Industry
ReseaRch RepoRT
6
date Targeted entity country attacker Tactics damages
January 2016 HSBC UK UK Unknown DDoS Disruption of Service
May 2016 Central Bank of Cyprus Cyprus Unknown DDoS Disruption of Service
June 2016 Bank of Indonesia Indonesia Unknown DDoS Disruption of Service
June 2016 Bank of Korea Korea Unknown DDoS Disruption of Service
June 2016Undisclosed
Ukranian bankUkraine Unknown
Unknown (Swift System compromised)
$10m
July 2016 Citibank USAInternal threat
N/A Disruption of Service
October 2016SBI, HDFC Bank, ICICI, YES Bank and Axis Bank
India UnknownSupply Chain (Hitachi
Payment Systems compromised)
3.2m credit cards compro-mised. Actual money loss
unknown
November 2016 Tesco Bank UK Unknown Debit card design flaw $3.2m
November 2016Sberbank (and 4 more
undisclosed)Russia Unknown DDoS Disruption of Service
December 2016 VTB Russia Unknown DDoS Disruption of Service
January 2017 Lloyds Banking Group UK Unknown DDoS Disruption of Service
February 2017 Unknown Polish Banks Poland Unknown Watering Hole Unknown
February 2018 Sheffield Credit Union UK Unknown UnknownSensitive information theft
of 15,000 customers
February 2018 City Union Bank India Unknown Unknown $2m
May 2018 Banxico Mexico Unknown Unknown $20m
May 2018Bank of Montreal, Canadian Imperial Bank of Commerce
Canada Unknown UnknownSensitive information theft
of 90,000 customers
inTsighTs
cybeRcRime gRoup aTTacks
The Rise of State-Sponsored Attacks Against the Financial Services Industry
appendix
7
date Targeted entity country attacker Tactics damages
January 2015 Banco del Austro EcuadorHidden Cobra
Social engineering + cus-tom-built malware
$12m
December 2015 Tien Phong Bank VietnamHidden Cobra
Social engineering + cus-tom-built malware + supply
chainNone
February 2016Central Bank of
BangladeshBangladesh
Hidden Cobra
Social engineering + cus-tom-built malware
$81m
April 2016 Credit Dnepr Bank Ukraine Carbanak Unknown $950k
April 2016Unnamed bank in Hong
KongChina Carbanak Unknown Unknown
June 2016 Undisclosed Bank Russia Carbanak Social engineering Unknown
July 2016 First Bank Taiwan Carbanak Social engineering $2.18m
November 2016 Undisclosed bank Kazakhstan Carbanak Unknown $600k
October 2017 FEIB TaiwanHidden Cobra
Social engineering + cus-tom-built malware
$500k
December 2017 Globex Bank Russia Carbanak Unknown $6m
January 2018 Bancomext MexicoHidden Cobra
Unknown None
July 2018 PIR Bank Russia MoneyTakerMisconfigured router + cus-
tom-built malware$1m
May 2018 Banco de Chile ChileHidden Cobra
Unknown $10m
August 2018 Cosmos Bank IndiaHidden Cobra
Unknown $11.5m
inTsighTs
sTaTe-sponsoRed apT gRoup aTTacks
The Rise of State-Sponsored Attacks Against the Financial Services Industry
appendix
Threat Intel l igence Real ized.
ABoUT InTSIGHTSIntSights is redefining cyber security with the industry’s first and only enterprise threat management platform that transforms tailored threat intelligence into automated security operations. Our ground-breaking data-mining algorithms and unique machine learning capabilities continuously monitor an enterprise’s external digital profile across the surface, deep and dark web, categorize and analyze tens of thousands of threats, and automate the risk remediation lifecycle — streamlining workflows, maximizing resources and securing business operations. This has made IntSights’ one of the fastest growing cyber security companies in the world. IntSights has offices in Tel Aviv, Amsterdam, New York and Dallas and is backed by Glilot Capital Partners, Blumberg Capital, Tola Capital, Blackstone and Wipro Ventures. To learn more, visit www.intsights.com.
WE’D LIKE THAnK THE FoLLoWInG AUTHoRS WHo ConTRIBUTED To THIS REPoRT:
Andrey yAkovlevSecurity Researcher, IntSights
ItAy kozuch Director of Threat Research, IntSights