19 February 2019

Group-IB: More than 70% of Russian banks are not ready for cyberattacks

Group-IB, an international company that specializes in preventing cyberattacks, has conducted high-tech cybercrimes research based on an analysis of responses to information security incidents carried out by Group-IB Incident Response team in 2018. According to the new research, hackers traditionally target the financial sector. Even so, 74 percent of banks were not ready for cyberattacks, 29 percent were found to be actively infected with malware, and in 52 percent of cases traces of past attacks were detected. According to experts, one of the most dangerous trends of the past year is cross-border domino-effect cyberattacks, in which the infected infrastructure of a compromised bank is used to spread the infection further to other banks. In 2018, Group-IB Incident Response team has detected the use of such vector in Russia and Eastern Europe.

The total number of Group-IB incident responses has more than doubled compared to 2017. Topping the list of the main threats faced by the compromised companies are targeted attacks, competitive espionage, ransomware attacks, and cryptomining. The main conclusion of Group-IB’s digital forensic lab is that the vast majority of Russian companies affected by hacker attacks last year did not have incident response plan and therefore were not ready to quickly mobilize its information security departments, the personnel of which are in turn often unable to resist the attackers. Group-IB experts highlight the high probability of repeated incidents in such companies.

 

An unfortunate fact: banks aren’t ready to defend against threat actors

According to the incident response study, banks were the targets of about 70% of hacker activity last year. Hackers still use the same cashing-out schemes as they used to: the stolen funds are withdrawn using payment cards pre-opened in a targeted bank, dummy law firm accounts, payment systems, ATMs and SIM cards. At the same time, the volume of cashing out in Russia has increased several times: a cash-out of 3 million USD took on average about 25-30 hours 3 years ago, but in 2018 there were incidents in which the same amount was successfully cashed out in less than 15 minutes at a time in different Russian cities.

Analysis of data obtained by Group-IB during incident responses revealed that 74 percent of banks attacked in 2018 were not ready for cyberattacks. At the same time, more than 60 percent of them turned out to be unable to centrally manage their networks (especially in the case of geographically distributed infrastructure). In more than 80 percent of financial organizations affected by the hacking activity, no sufficient level of event logging over a longer period (more than a month) was observed. Insufficient cooperation between internal departments is an additional factor that plays into the hands of attackers: more than 65 percent of the financial organizations, where the Group-IB IR team worked, spent more than 4 hours for coordination of work between departments. Meanwhile, an average of 12 hours were spent on meetings, granting access and routine work as part of one incident response.

Group-IB research revealed not only low level of elaboration of organizational procedures for establishing the source of an infection, determining the extent of compromise, and localization of the incident, but also insufficient technical skills of banks personnel. According to Group-IB researchers, 70 percent of the organizations have insufficient or no specialized skills to detect infection traces and unauthorized network activity. The same percentage lacks well-defined procedures for self-detection of hardware and software compromises. High risks result from technical specialists’ lack of readiness to react quickly to cyber incidents: according to Group-IB, more than 60 percent of banks are unable to carry out a centralized one-time change of all passwords in a short time, which allows hackers to attack new targets from within the compromised infrastructure of the bank.

A bank with compromised infrastructure can not only lose money, but also become a threat to other players in the financial market. A financially motivated hacker group always seeks to maximize the gains: by taking control over a bank’s systems it aims not only to withdraw money from a compromised bank but also to infect as many new victims as possible. For this purpose, hackers use „a domino effect“: they send out malicious phishing emails from the compromised infrastructure using the database of the bank’s partner companies. This attack vector dangerous, first of all, because these emails are sent from a legitimate bank, and the sender is not faked, which increases the probability of opening the malicious attachment. Thus, a chain reaction is started, and this can lead to multiple infections of financial institutions. In 2018, we detected the use of this vector both in Russia and Eastern Europe..

Valery Baulin

Valery Baulin

Head of Group-IB Digital Forensics Lab

Hidden agenda

According to Group-IB, at least 17 percent of companies, where incident response was carried out, have been targeted through previously unaddressed vulnerabilities within a year after the last infection. In the vast majority of cases, this was a consequence of a failure to comply with recommendations, as well as negligence of bank employees. In addition, during 2018, Group-IB experts detected active infections in 29 percent of financial sector organizations, unknown to the internal information security service. In 52 percent of cases, traces of past attacks were found.

In 2018, the Group-IB Incident Response team recorded cases in which cyberattacks were organized in order to create a negative image around a bank, leading to reputational damage and in some cases bank’s departure from the market.

A sharply negative image is created around the bank: estimates of potential damage may appear, along with negative information about bank’s level of protection. The media throw in the possible revocation of its banking license. There is an outflow of clients and partners, and the bank faces insufficient capitalization. Using cyberattack as a tool to damage bank’s reputation and even to squeeze a competitor out of the market is another dangerous vector, which can become even more popular, as the level of cyber security of smaller banks is still extremely low

Valery Baulin

Valery Baulin

Head of Group-IB Digital Forensics Lab

Group-IB is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigation of high-tech crimes and intellectual property protection, headquartered in Singapore. The company’s threat intelligence and research centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), Europe (Amsterdam), and Russia (Moscow).

Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s Threat Hunting Framework (earlier known as TDS) intended for the proactive search and the protection against complex and previously unknown cyberthreats has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG, while Group-IB itself has been recognized as a Product Leader and Innovation Leader. Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for its Fraud Hunting Platform. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for its Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks with the company’s patented technologies at its core.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 18 years of hands-on experience in cybercrime investigations worldwide and 70,000 hours of cybersecurity incident response accumulated in our leading forensic laboratory, high-tech crime investigations department, and round-the-clock CERT-GIB. Group-IB is a partner of Europol.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.

Report an incident

Get 24/7 incident response assistance from our global team

APAC: +65 3159-3798
Europe: +31 20 226-90-90
EMA: +971 4 508 1605

Thank you for the inquiry! We will contact you soon.
Cookies

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

 
Report an incident