Banking CIO Outlook
show-menu

Analysis of Cyber Warfare in the Financial Industry Since the Beginning of the Conflict in Ukraine

Dobrin Dobrev, Chief Information Security Officer, TBI Bank

Dobrin Dobrev, Chief Information Security Officer, TBI Bank

Due to the complicated situation in Europe, we are seeing a significant increase in scanning/security exploration activities. This is the first hybrid war where attacks are not only physical, but also on the cyber landscape. Currently, we can distinguish attacks on various sites and financial institutions which began shortly before the first attacks in Ukraine. A few days before the Russian invasion, many Ukrainian banks were under attack. The main vectors were online banking and ATMs. Immediately after the start of the war two separate fronts were formed – groups supporting Russian activities and groups organized on social media supporting Ukraine.

The volunteer groups consist of different actors varying from users with basic skills to experienced and skilled attackers. For organizing simple attacks, like DDoS, an attacker needs only basics skills. Additionally, volunteers with richer technical background were attracted, including knowledge of platforms such as Cobalt Strike, Snort, Evilginx. Two main types of attacks were commonly used in the region – attacks for stopping the services for some time and information gathering.

Furthermore, a new type of malware was identified. The first samples of this virus were discovered on Feb 23. This malware bypasses Windows security features and gains access to many low-level data-structures on the disk. Quite quickly, this malware managed to compromise a large number of machines in Ukraine, but also in Latvia and Lithuania. Recovery from this type of attack is very difficult and leads to destruction of all the data stored on the discs. We also observed an increase of targeted fishing campaigns for compromising hosts. In fact, there is a 15-time increase in targeted campaigns compared to the same period last year. On the darknet, a lot of databases were published presenting usernames and passwords that can further be used for specific attacks.

The presented output shows the malicious activities and the scanning that was identified in the last 30 days. Different countries have been used as proxy for targeted attacks. Some examples are China, Russia, Vietnam, the USA and Iran.

The tendency for increased attacks on the cyber market is expected to continue together with the disclosure of new vulnerabilities. Supply chain attacks will continue to be a big issue. Targeted attacks will be pointed to remote workers and to individuals as they can be compromised more easily. Big companies are beginning to invest more in security by acquiring comprehensive protection systems and educating their teams. The most widely used protection tools at the moment are advanced AI modules, systems identifying and blocking attacks in real time, proactive responses in case of detected anomalies in the infrastructure, as well as advanced Next Generation System inspecting the entire traffic.

“Patches must be applied to all systems, not only to vulnerable ones. There must be a clear process for patching all systems on a regular basis, especially to public facing services, firewalls and mail service”

To ensure advanced protection, apply the following good security practices:

• Patches must be applied to all systems, not only to vulnerable ones. There must be a clear process for patching all systems on a regular basis, especially to public facing services, firewalls and mail services.

• Enforce multifactor authentications for all accounts, especially for the critical ones. Identity theft is one of the most common ways for compromising organizations.

• Backups must be made on a regular basis. With the current malware similar to HermeticWiper data is at a big risk. With this type of attack data recovery is not possible, therefore a data restoration strategy must be put in place. Testing back-up and recovery plans is critical, including business continuity testing in case your network or other key systems are disabled in an attack.

• Unused services must be blocked, while small policy changes can go a long way in decreasing the likelihood of a successful attack. Internet access must be filtered to prevent hosts from participating in botnet networks.

• Business continuity, disaster recovery plans and test communication protocol must be updated to ensure a clear mechanism for reacting in critical situations.

tag

Business Continuity

Financial

Supply Chain

Disaster Recovery

Test

AI

Weekly Brief

Read Also

Shaping the Future of Banking with ITMs

Shaping the Future of Banking with ITMs
Michael Noftsger, Chief Administrative Officer (CAO), Forcht Bank
Human-Centered Banking for Stronger Local Economic Resilience

Human-Centered Banking for Stronger Local Economic Resilience
Stephanie McClendon, Chief of Community Banking, First Federal Bank
Why Your AI Models Need to Talk to Each Other (And Maybe Take Yoga Together)

Why Your AI Models Need to Talk to Each Other (And Maybe Take Yoga Together)
Jerry Duan, SVP, Director, Credit Risk Models, United Community Bank
Banking Tailored to Client Needs

Banking Tailored to Client Needs
Aylon Spinner, Head of Technology Strategy and Architecture, CIB, Standard Bank Group
Incident Response - Preparation to Prevent Panic

Incident Response - Preparation to Prevent Panic
Ste Watts, Group Head of Cyber Security Operations (SecOps), Aldermore Bank PLC
The European Cyber Crucible

The European Cyber Crucible
Roberto Baratta Martinez, Director of Loss Prevention, Business Continuity and Security, ABANCA