lolloj - Fotolia

Financial sector faces era of cyber mega heists

Banks and other financial institutions are threatened by a new breed of elite cyber criminals running professional operations that will use any means to achieve their goals, says Barclays security chief

Banks and other institutions are facing an era of mega cyber heists, according to the lastest findings by threat researchers in the financial sector.

Elite cyber criminal groups are investing heavily in penetrating high-value payment platforms, high-value corporate and banking networks, and payment processes such as Swift.

The theft of up to $1bn from financial institutions worldwide by the Carbanak criminal gang, uncovered in February 2015, was considered by many as marking the start of a new phase in the evolution of cyber crime.

“Hackers targeting financial institutions are much more professional than they used to be,” said Troels Oerting, group chief security and information security officer at Barclays and former head of Europol’s European Cybercrime Centre (EC3).

“They take their time, they look at the processes, they have good resources, they are very adaptive, and they are more dedicated to going after bigger prizes rather than going after easier targets with smaller prizes,” he told Computer Weekly.

These elite groups typically use social engineering and invest a lot of time in identifying who in a bank has privileged access to payment platforms to target them exclusively to steal their login credentials.

As part of this process, elite criminals are using high-tech tools such for big data analysis and social mining, said Oerting, unfettered by the privacy regulations that defenders have to work within.

This means that if cyber criminals can get some credit card data through one data breach, they can use these tools to search and analyse social media and other sources to fill in the missing details.

“In this way, they can add things like date of birth, maiden name, address, pet names and other personal data to build up complete personal data sets for individuals,” he said.

Full data sets

Full data sets are valuable commodities on the underground market and can be used for a wide range of crime, including fraud and financial account take-overs.

In the past 18 months, said Oerting, there has been much more aggressive use of advanced malware tools in attacks targeting several areas of business activity at financial institutions.

“These tools now also include the capability to detect surveillance cameras inside banks, which indicates a convergence of physical and cyber crime,” he said.

This trend requires organisations to think of security more broadly and to consider all aspects of security together, so the physical and cyber aspects of an attack can be linked more easily.

Another key trend in cyber attacks by elite crime groups is that they are aiming to penetrate organisations more deeply and with more stealth than before.

Advanced persistent threats (APTs) are not the exception any more, they are more the general rule when it comes to this group of attackers,” said Oerting.

Wide range of techniques

Adversaries are using a wider range of techniques, from detectable malware to complex database manipulation and human behaviour-mimicking components, threat researchers have found.

“These, used in combination with stolen user credentials, pose a significant challenge to traditional security systems, which are no longer adequate to deal with the threat,” said Oerting.

A new approach is needed in view of the fact that malware is now being designed to target at the service or application level, he said.

“Malware such as the Dridex Trojan – which is emerging as the mother of all malware – is extremely complex and is increasingly updated to provide more services to elite crime groups,” said Oerting.

“We are also seeing an increase in the use of things like fileless malware and attacks that use legitimate admin tools such as Microsoft’s Windows PowerShell configuration management framework.”

Significant threat

According to financial sector researchers, criminal groups aligned with nation states also pose a significant threat at the high end of cyber crime.

“This more professional approach to cyber crime by elite groups is a growing concern,” said Oerting, adding that this is something financial institutions are having to deal with on top of the normal, lower-level attacks.

In the face of these new elite crime groups, Oerting believes that just as chief information security officers have had to evolve from being purely technical to look at people and processes in the security context, they now have to move to a broader, more comprehensive view of security that combines physical and cyber security.

“Criminals will use any means they can to achieve their aims, so that means we can no longer consider physical and cyber security separately, but instead need an end-to-end view on security,” he said.

Using this approach, organisations should first seek to identify their “crown jewels”, where that data resides and who has access to it, and then put adequate protection around it and ensure there is a high level of “cyber hygiene” across the organisation.

Read more about cyber crime

  • More than half of UK organisations say they expect to be the victim of cyber crime in the next two years, suggesting it will become the UK’s largest economic crime, says a PwC report.
  • The value chain driving cyber crime provides insights into improving enterprise cyber defences, according to a report from Hewlett Packard Enterprise.
  • Most information security professionals support the National Crime Agency’s call for help from businesses in pursuing cyber criminals.
  • Co-operation with business in the private sector is an increasingly important element in fighting crime, according to UK, US and EU law enforcement officers.

Next, organisations must focus on building security by design into all products, services and processes.

“The third thing organisation need to ensure they are doing is educating staff so that security is part of the corporate culture, and finally formalise a broader view of security,” said Oerting.

This is what Barclays has done by broadening Oerting’s role as group chief information security officer to include all security.

“I now have responsibility for physical security, cyber security, group intelligence, group investigations and group resilience because it is all about resilience,” he said. “But to provide that, you need to look at your physical security, not just your cyber security.

“If criminals are unable to achieve their aims because our cyber defences are too strong, then they will look for ways around that, such as uploading malware internally either by getting physical access to the network or using blackmail or some other means to get an insider to do it for them.”

Oerting also believes banks need to work even more closely together to fight a common enemy by sharing as much information about attackers and attack methods as possible.

Read more on Hackers and cybercrime prevention