Menu

10 October

Infrastructure disruption – Key Threat to the Financial Sector

According to the annual report Hi-Tech Crime Trends 2017 presented by Group-IB at CyberCrimeCon, funds stolen from companies via online banking using malware in H2 2016-H1 2017 in the Russian Federation equals around $10.4 mln, while targeted attacks on banks brought hackers more than $27 mln. Despite an overall 35 percent decrease YoY, targeted attacks on financial institutions remain cybercriminal’s most profitable revenue stream in the former Soviet Union. According to Group-IB forecasts a new threat is set to cause disproportionate losses for the financial sector – disruption and damage to financial infrastructure caused by targeted attacks from financially motivated cybercriminals and state sponsored hackers.

Early in 2017, Group-IB staff detected the first cases of ransomware being used to conceal evidence of targeted attacks during theft from a bank in the Russian Federation. While attacking the victim bank with a view to steal from card processing systems, Cobalt gang took control over its network. After successfully conducting their attack, they ran a modified version of Petya – (PetrWrap ransomware) on all computers in the corporate network to hide their activity and complicate investigation. During incident response, data was partially restored, however most computers of the bank’s network were disabled, causing service disruptions, reputational damage and loss of clients. The ransomware was not used to collect additional funds but to remove evidence of the attack.

After successful attacks on banks, attackers have always tried to conceal any traces of their presence in corporate networks – complicating incident response and investigation with a view to staying unnoticed in future attacks. In the past, they would use tools like SDelete, MBRKiller, and self-coded utility applications for removing data. It was obvious that using ransomware to conceal evidence of attacks was only a matter of time – not to collect additional funds from ransom but to encrypt computer systems. More important is that state-sponsored hackers began to employ this technique very quickly, and followed cybercriminals’ lead.

Dmitry Volkov

Dmitry Volkov

Head of Threat Intelligence Department, co-Founder of Group-IB

In March 2017 Black Energy previously known for its attacks on energy sector, broke new ground attacking Ukrainian banks via a third party infection at a Kyiv IT integrator, most importantly using their own crypto locker.

WannaCry, widely attributed to Lazarus, the North Korean state hacker group, also used a crypto locker as the foundation of its attack. In this instance, it was clear that the attack’s aim wasn’t the financial gain, but to disrupt infrastructure.

NotPetya, attributed to the state-backed Black Energy group, was more targeted – piggybacking off of ME DOC Ukrainian accountancy software, but the aim of both of attacks was destruction of the infrastructure. In June 2017 NotPetya resulted in the disruption of internal processes and IT systems for a wide range of companies globally, including oil & gas companies and financial institutions. The attack temporarily shut down production at a number of refineries.

Damage caused from service disruptions can cause significantly larger than those from theft. Gaining control over major bank IT infrastructure, or damaging it, can have a major impact on national economy, currency rates, and have other consequences that are secondary to financial motivated attacks. In this vein, the use of ransomware in attacks to disrupt businesses is set to become a tool of influence rather than a source of financial gain. The attacks we’ve seen this year only confirms this. Irrespective of hackers’ attribution and goals, the financial institution and it is customers become the primary victims of attacks like this.

The full version of Hi-Tech Crime Trends 2017

Report an incident

24/7 Incident Response Assistance +7 495 984-33-64

Thank you!
We will contact you soon.