10 October 2017

Infrastructure disruption – Key Threat to the Financial Sector

According to the annual report Hi-Tech Crime Trends 2017 presented by Group-IB at CyberCrimeCon, funds stolen from companies via online banking using malware in H2 2016-H1 2017 in the Russian Federation equals around $10.4 mln, while targeted attacks on banks brought hackers more than $27 mln. Despite an overall 35 percent decrease YoY, targeted attacks on financial institutions remain cybercriminal’s most profitable revenue stream in the former Soviet Union. According to Group-IB forecasts a new threat is set to cause disproportionate losses for the financial sector – disruption and damage to financial infrastructure caused by targeted attacks from financially motivated cybercriminals and state sponsored hackers.

Early in 2017, Group-IB staff detected the first cases of ransomware being used to conceal evidence of targeted attacks during theft from a bank in the Russian Federation. While attacking the victim bank with a view to steal from card processing systems, Cobalt gang took control over its network. After successfully conducting their attack, they ran a modified version of Petya – (PetrWrap ransomware) on all computers in the corporate network to hide their activity and complicate investigation. During incident response, data was partially restored, however most computers of the bank’s network were disabled, causing service disruptions, reputational damage and loss of clients. The ransomware was not used to collect additional funds but to remove evidence of the attack.

After successful attacks on banks, attackers have always tried to conceal any traces of their presence in corporate networks – complicating incident response and investigation with a view to staying unnoticed in future attacks. In the past, they would use tools like SDelete, MBRKiller, and self-coded utility applications for removing data. It was obvious that using ransomware to conceal evidence of attacks was only a matter of time – not to collect additional funds from ransom but to encrypt computer systems. More important is that state-sponsored hackers began to employ this technique very quickly, and followed cybercriminals’ lead.

Dmitry Volkov

Dmitry Volkov

Head of Threat Intelligence Department, co-Founder of Group-IB

In March 2017 Black Energy previously known for its attacks on energy sector, broke new ground attacking Ukrainian banks via a third party infection at a Kyiv IT integrator, most importantly using their own crypto locker.

WannaCry, widely attributed to Lazarus, the North Korean state hacker group, also used a crypto locker as the foundation of its attack. In this instance, it was clear that the attack’s aim wasn’t the financial gain, but to disrupt infrastructure.

NotPetya, attributed to the state-backed Black Energy group, was more targeted – piggybacking off of ME DOC Ukrainian accountancy software, but the aim of both of attacks was destruction of the infrastructure. In June 2017 NotPetya resulted in the disruption of internal processes and IT systems for a wide range of companies globally, including oil & gas companies and financial institutions. The attack temporarily shut down production at a number of refineries.

Damage caused from service disruptions can cause significantly larger than those from theft. Gaining control over major bank IT infrastructure, or damaging it, can have a major impact on national economy, currency rates, and have other consequences that are secondary to financial motivated attacks. In this vein, the use of ransomware in attacks to disrupt businesses is set to become a tool of influence rather than a source of financial gain. The attacks we’ve seen this year only confirms this. Irrespective of hackers’ attribution and goals, the financial institution and it is customers become the primary victims of attacks like this.

The full version of Hi-Tech Crime Trends 2017

Group-IB is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigation of high-tech crimes and intellectual property protection, headquartered in Singapore. The company’s threat intelligence and research centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), Europe (Amsterdam), and Russia (Moscow).

Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s Threat Hunting Framework (earlier known as TDS) intended for the proactive search and the protection against complex and previously unknown cyberthreats has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG, while Group-IB itself has been recognized as a Product Leader and Innovation Leader. Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for its Fraud Hunting Platform. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for its Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks with the company’s patented technologies at its core.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 18 years of hands-on experience in cybercrime investigations worldwide and 70,000 hours of cybersecurity incident response accumulated in our leading forensic laboratory, high-tech crime investigations department, and round-the-clock CERT-GIB. Group-IB is a partner of Europol.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.

Report an incident

Get 24/7 incident response assistance from our global team

APAC: +65 3159-3798
Europe: +31 20 226-90-90
EMA: +971 4 508 1605

Thank you for filling out the form! We will get back to you shortly.

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

Report an incident