Nobody knew the banks had fallen.
Overnight, unknown attackers had hijacked the websites and online customer portals of every single bank in the country. From the outside, nothing seemed amiss. In reality, a cyberheist on an unprecedented scale was underway.
The attackers were stealing login credentials from unsuspecting customers who thought they were visiting their banks’ websites but were in fact being redirected to bogus reproductions thanks to the hackers’ modification of the banks’ Domain Name System registrations. The spoofs even went so far as to display fraudulent HTTPS certificates — the Internet equivalent of a fake ID.
The attackers weren’t just pilfering login credentials, though. Customers were infected with data-stealing malware from the hijacked bank websites, while the attackers simultaneously redirected the information of all ATM withdrawals and point-of-sale platforms to their own systems, hoovering up even more credit card information on the nation’s unsuspecting citizens.
The first to notice were Twitter users. They read and reread the tweets, unsure what the message meant.
“Only we can give you security. Only we can give you freedom.”
The missive was tweeted out from the accounts of the state banks at 03:00:00 UTC. Likes and retweets racked up by the hundreds, then thousands, in a matter of seconds. Prominent security researchers at first assumed it was just the banks’ Twitter accounts that had been hacked. They were quickly dissuaded of such a comforting notion: As the retweets passed 10,000, the accounts started linking to data dumps containing the credentials of thousands of transactions collected during the night. A sociopolitical campaign of implanting distrust was in full swing.
“Only we can give you security. Only we can give you freedom.”
Every news channel across television and radio that morning had its top story: A large-scale hack of the country’s banks had compromised the details of hundreds of thousands of customers. Trust in the already weakened economy took a nosedive.
The worst was yet to come. It wasn’t long before the issues at the stock exchange started.
The attackers had infiltrated the exchange’s internal network through an obviously exploitable flaw: compromised emails and passwords from managerial administrators working for the banks. When markets opened, the attackers started pulling out sell and buy orders, and triggered a short sell of government bonds. Rapid fluctuations started destabilizing the entire country’s economy within minutes; billions were wiped off the region’s largest companies’ market valuations.
The market shuddered, then crashed. Fraught nerves in the financial industry snapped as trading was suspended entirely, the exchange only realizing its circuit breakers implemented explicitly to prevent volatile crashes were also maliciously altered by the attackers. Sinking valuations sent those who held collateral scrambling to find extra funds; commercial paper markets, the funding lifeblood of many large companies, seized up.
Social media and 24-hour news meant the run on banks came in just hours. Unlike with other crashes seen around the world, however, the national bank hadn’t planned any form of emergency bailout. Already underperforming private banks certainly weren’t prepared. The lines stretched for blocks, but the ATMs were empty.
With the capital city’s new smart transport system, the country had inadvertently given the attackers an easy access point to sow turmoil in the streets. Traffic lights stopped working; the metro ground to a halt. Any backup power systems keeping the country running were shut down less than an hour later by another attack, this time targeting water treatment plants and gas stations dotting the countryside. Every centralized government infrastructure system had been compromised to make the attack on the economy more powerful. This was all in the first four hours. The money stopped for two weeks. The effects could last a lifetime.
On the morning of November 12, 2015, cyberforces representing the U.S. and the U.K. commenced a joint exercise, the culmination of more than eight months of meticulous planning. Government and independent cybersecurity researchers, working alongside leading global financial firms, simulated their worst-case cyber scenario: a large-scale, coordinated attack on the financial sectors of the Western world’s biggest economies — one that could easily play out like the hypothetical attack just described.
Operation Resilient Shield, as the exercise was dubbed, was part of a transatlantic political maneuver on cybersecurity reflecting the importance of international cooperation in cyberspace, a necessity in the age of intertwined, globalized, and wholly digital financial infrastructures.
Players of this “war game” — although the governments of both countries were eager to avoid using that phrase — included the Bank of England, the U.K. Financial Conduct Authority, the White House National Security Council, the U.S. Department of the Treasury, the U.S. Secret Service, and the FBI. The Board of Governors of the Federal Reserve System, the Federal Reserve Bank of New York, the Federal Reserve Bank of Chicago, and practically the entirety of the U.S. intelligence community also participated in the mock doomsday scenario.
While the British government had previously assaulted financial institutions with sustained mock cyberattacks back in 2013’s Operation Waking Shark II, Resilient Shield played out a different, seemingly more urgent, strategy. Rather than a what-if scenario, Resilient Shield was more akin to a when scenario. The essence of the operation wasn’t to prevent a cyberattack, but to rehearse what actions should be taken when a cyberattack occurs on critical banking infrastructure.
So when, just mere weeks later, tens of thousands of Ukrainians were plunged into darkness following the world’s first large-scale cyberattack on a country’s utilities infrastructure, Operation Resilient Shield seemed almost prophetic. But the intricate, multistage attack on western Ukraine’s Prykarpattyaoblenergo power supplier — which shut off power for hours to more than 80,000 residents — was just a warning shot. That day, December 23, 2015, would not remain an anomaly.
Cyberattacks, traditionally carried out by gangs of hackers and thieves eager to make a quick buck out of poor Internet security, have now become the weapon of choice for political groups, terrorist organizations, and even the world’s governments and militaries. The target: our infrastructure.
What happens when banks become the target and the money stops?
Banks and financial institutions are not strangers to cyberattacks. A March 2017 report commissioned by Accenture found that a typical financial services organization will face an average of 85 targeted breach attempts every year, a staggering third of which will be successful. “Financial institutions across the world are a constant target for attackers, from nation-state hackers looking to cause disruption to old-fashioned criminals looking to steal vast sums of money,” says Lee Munson, a security researcher at Comparitech.
Perhaps the most notorious case to date is the February 2016 hack of Bangladesh’s central bank, which saw hackers make off with more than $80 million after exploiting vulnerabilities in the Swift global bank messaging and communication system.
The attackers were able to access Swift using credentials of Bangladesh central bank employees, and sent fraudulent transfer requests to move the stolen money to bank accounts throughout Asia. The FBI suspects it was an inside job; other security experts point toward North Korean involvement.
Three years prior to the Bangladesh heist, a South Korean bank (along with three South Korean television networks) was hit by a cyberattack that knocked out mobile payments and cash machines in the country. Investigators concluded that the malware used in the attack, called DarkSeoul, was most likely the work of North Korea in collusion with China. During the attack the Internet servers of Shinhan Bank were blocked, and a handful of other national banks were also hit when several of their branches were targeted with viruses that took their computers offline.
Back in Ukraine, less than two years after the initial attack on its power infrastructure, a cyberattack yet again crippled the country. This time the aggressors didn’t stop at the state’s energy supplier. On June 27, 2017, a devastating strain of ransomware — a computer virus that locks down users’ files — rapidly spread throughout the country, knocking out computer systems across government infrastructure, airports, and national banks. The virus, dubbed NotPetya, acted just like the WannaCry ransomware that had plagued hundreds of thousands of computers across 150 countries one month earlier.
“As a result of cyberattacks, these banks have difficulties with customer service and banking operations,” an urgent statement rushed out from the National Bank of Ukraine said during the attacks. “The national bank is confident that the banking infrastructure’s defense against cyberfraud is properly set up and attempted cyberattacks on banks’ IT systems will be neutralized.” The message did little to quell concerns.
Ukraine’s state postal service was also affected, and metro passengers in the capital, Kiev, were unable to pay using their banks’ debit cards. ATMs were also offline around the country. In just a matter of hours, the country was in utter chaos. Ukraine’s state security service, the SBU, pointed the finger at Russia, an accusation backed up by several cybersecurity vendors. “The available data, including those obtained in cooperation with international antivirus companies, give us reason to believe that the same hacking groups are involved in the attacks, which in December 2016 attacked the financial system, transport and energy facilities of Ukraine,” said the SBU, referring to the original power grid attack. “This testifies to the involvement of the special services of [the] Russian Federation in this attack.”
While traditionally used to profit by duping victims into paying to release files, this particular ransomware was instead a vehicle to cause mass disruption on a country’s infrastructure. What was witnessed in Ukraine first in 2015, and then again since, is just a taster of what’s to come.
Some predict a large-scale attack on a nation state’s entire infrastructure, penetrating and disrupting the country’s economic core. The stock exchange or a single central bank may be attacked, destroying trust between the country’s lenders, citizens, and governments. The broader economy as a whole could become unstable, eventually showing cracks as consumers stop buying and hoard cash as power networks and transport links go offline.
“No one expects to see blackouts in this day and age — but it happened,” says Pascal Geenens, a security expert at security firm Radware. “If the utilities were to be targeted at the same time as the financial and government networks, all hell would break loose. There would be panic as people’s homes come under fire, panic as people try to grab their money, panic as people try to protect their citizenship. Bottom line is that anything connected to a network is a risk.”
While it’s relatively easy to imagine a hacker remotely infiltrating the network of a power station and manually switching off the safety limits on a reactor, it’s harder to imagine how exactly a cyberheist of a financial institution or a central bank would go down. Similarly, cutting the power has an obvious impact on citizens. But what would be the effects of a major bank suffering from some form of attack?
“When looking at an attack, you actually have to look at why. A lot of times there’s a destructive side of it,” says Andre McGregor. “When you’re looking at foreign nation states and why they would attack a banking institution, you have to think about how those states are economically entwined.”
McGregor’s calling me in London from New York City. His colleague, Jason Truppi, is also on the phone. The two are former FBI cyber special agents, experts in criminal and counterintelligence cyber techniques with decades of combined frontline experience responding to serious national security issues, corporate data breaches, hacktivism, and cyber extortion. They now work at Tanium, a U.S. cybersecurity company that helps protect and advise some of the world’s largest financial organizations. Its customers include 12 of the world’s 15 biggest banks, Aon, PwC, eBay, Amazon, and the intelligence agencies of the U.K. and the U.S.
“Iran was a good example of that,” says McGregor, referring to the seven Iranian hackers charged in early 2016 with carrying out distributed denial-of-service (DDoS) attacks against 46 U.S. banks and financial institutions throughout 2011, 2012, and 2013. “But of course there’s a financial-gain perspective as well. Like North Korea and Swift.”
Between them, McGregor and Truppi have investigated dozens of cyberattacks against U.S. financial institutions, and they say that working out why a bank might have been attacked often leads to discovering who attacked it, and how. “A good example: China is not going to hack United States infrastructure and take down the trading platform, because that would affect them economically,” says Truppi. “What China would try to do is hack banking institutions and gain the upper hand with information, maybe information on mergers and acquisitions or other information on companies.”
On the other hand, Truppi says, attacks like those purportedly deployed by North Korea on South Korea are designed to wreak havoc on society. “The reason they have been able to take those destructive approaches is because they’re not economically entwined with the U.S. in any way, shape, or form. It’s making a statement,” he says.
In our fictionalized scenario, a country’s financial infrastructure has been targeted to cause maximum disruption. But how exactly would the attackers — nation state or otherwise — go about achieving this?
“There are many different forms of an attack, but you’ve got to think about how a banking institution has been positioned on the Internet. They have to interface with customers, right?” says Truppi. “That’s the primary location of where most banks get attacked. And that’s because those areas are accessible to most people around the world. It’s accessible to a customer of the bank — but also to a hacker sitting somewhere else.” For years banks have been targeted through web-based login portals and other Internet applications, exposing them to a range of cyberattacks, such as DDoS, fraudulent transfers, and attacks where sensitive information is raided and stolen. It’s a financial institution’s Achilles heel.
Once in, damage can spread. “Financial institutions that offer interconnected services are at a high risk due to the way their systems have to communicate and interact with each other,” says Mark James, a security specialist at Slovakian security firm ESET. “Malware writers are very aware of how this works; one successful infection or compromised machine inside a network could cause a cascade effect that could cripple infrastructures like we saw with Petya.”
But in the era of tweeting presidents and globalized social media, banks aren’t just vulnerable from the inside: Experts don’t discount the role fake news or other propaganda could have in a disaster scenario involving an attack on financial infrastructure.
Agnia Grigas, an energy sector and political risk analyst who focuses on the U.S. and Eurasia, points to the widespread 2007 cyberattacks in Estonia as evidence of this. The attacks, which some blamed on Russia, were merely proving grounds for organized DDoS campaigns on a country’s media and government. Estonia’s banking systems, parliament, and media were all targeted in a widespread propaganda and misinformation campaign dubbed a “cyber riot” that shook the country for days.
“[Attacks] could become quite potent when used in combination with information warfare and propaganda,” Grigas says. “Essentially, if you hack into a system, like a media system, and you put on some fake news or fake reports — that is less sophisticated than taking down an entire system, but it can be just as potent by causing commotion and confusion.”
Fake news has on numerous occasions caused financial disruption in the real world. In April 2013, hackers accessed the Twitter account of The Associated Press and tweeted out a message that the White House had been bombed and Barack Obama had been injured. Almost $140 billion was temporarily knocked off the stock market.
Once an attacker has a foot in the door, the possibilities are nearly limitless. The first port of call is to look for any weaknesses in IT administrator privileges at a particular bank or company, followed, perhaps, by spear-phishing attacks on other administrators to rack up credentials to access more systems. The attacker can then use these new privileges within the network to deploy malicious software where data can be scooped up, manipulated, or even destroyed.
“Any country’s economy is based on trust,” says Alan Levine, a security adviser at Wombat Security Technologies, a U.S.-based cybersecurity training company. “Shake this confidence and any economy would shudder, weaken, and potentially begin to fail. There would be runs on banks and exchanges, consumers would stop buying and hoard cash, treasuries and other bonds would be weakened, and this downward cycle would feed upon itself, eating away at the fabric of the economy.”
The deployment of malware inside a bank’s systems could devastate an economy if the bank isn’t prepared. Moreover, a multistage bank attack — like that used in the Bangladesh Swift hack — could funnel billions away from customers while a smokescreen of disaster has authorities preoccupied. A Russian criminal hacking group known as Cobalt has already been successful in targeting hundreds of banks with malware and phishing attacks across Europe, stealing millions. “By attacking a financial exchange, a criminal group like Cobalt can pump or dump stocks, incentivizing purchase or sale of shares in certain companies in a way that causes rapid fluctuations in share price,” says Alex Mathews, lead security evangelist at cybersecurity firm Positive Technologies.
Former FBI agents McGregor and Truppi confirm that the consequences of a cyberattack on a country’s economy would be devastating. “I look at something like Bernie Madoff, where we had one individual that had such a significant negative impact on the market through his Ponzi scheme that sent a ripple through all industries,” says McGregor. “That’s just one person.”
Truppi refers to the disorder caused after South Korean banks were attacked in 2013. Residents were unable to withdraw cash from ATMs. “That’s a pretty scary situation, especially for electronic transactions,” he says. “The majority of transactions are still via cash, at least in the U.S. economy. But we’re slowly moving toward electronic-based transactions, and if you can’t make a transaction for one day, it’s not that big of a deal. But two days, four days, two weeks — which is what happened in South Korea — that’s scary.” Truppi and McGregor also believe cyberattackers could easily take advantage of the very integrity of data. “Looking at markets, how do we know that the data we’re looking at is actually the data that is real and true?” asks McGregor. “We trust it, but if I were going to disrupt a market, as a bad guy, why not change the numbers?”
But in protecting banks against an attack, the duo is confident. “Andre and I have spent an enormous amount of time with banking institutions and how they protect not only trading platforms for stock exchanges but also internal banking applications,” says Truppi. “Generally speaking, I think that banking institutions are pretty well positioned to protect that to a high security level, and what that means is that it’s not easy for an attacker to infiltrate a bank and take down a stock exchange.” Unlike other industries like water and gas, the financial industry has the cash to spend on the best cybersecurity. “Banks have always been ahead of the curve with technology because, quite frankly, they have the money to do it,” says McGregor.
This sentiment echoes Grigas’s opinions. When asked what the financial industry could learn from an industry that’s already been compromised with a powerful attack, like the energy industry, she replies, “I think it’s the energy sector that can actually learn more from the financial sector.”
It’s mid-August and the cooling breeze is already anticipating autumn in London’s Greenwich Park. Standing on Observatory Hill looking north over the River Thames, the impressive skyline of London’s iconic Canary Wharf looms in front of us. “The risk of cyberattack comes from centralization of infrastructure and authority,” the man next to me says. “I think that the issue with centralization is the lack of diversity it creates, both security and otherwise. We all learn that diversity is good from an evolutionary perspective — it supports resilience. The problem is that diversity is messy, and that is really abhorrent to a lot of people, and confusing to everyone.”
Daniel Ames is core team member at European cryptocurrency project Crown. He is a believer in a decentralized future built upon the distributed-ledger technology of blockchain, the same technology that gave Bitcoin its star status. “The risk we have in our society right now — the biggest risk, cybersecurity and otherwise — is leaving people behind to be dependent on centralized systems.”
Looking over the river toward one of London’s major business districts with its aging, steel towers, it’s easy to forget just how vulnerable today’s world is to cyberthreats. Like honeypots, centralized infrastructures, including central banks, make juicy targets for attackers. But blockchain is decentralized and people like Ames argue that by virtue it’s more secure.
Blockchain technology allows for secure transactions of money and other assets thanks to a ledger system that’s distributed over the Internet. Not only useful for actual money, blockchain can also store any digital assets across numerous computers spanning networks, publicly recording all transactions. It’s a stark change from putting your trust in a centralized bank or government service, but that’s where blockchain supporters see its success. Combined with the cryptographic qualities that make blockchain secure, the technology’s invulnerability to tampering or alteration prevents cases of fraud and data manipulation. The decentralized technology has another boon too: With no single attack surface, it’s almost impossible to shut down a target with a DDoS attack.
This is why billions have already been pumped into the technology by most of the world’s leading banks and financial institutions. Looking further into the future, blockchain and cryptocurrency are both part of a grander ideal for Ames, who sees the entire banking industry turned on its head by the technology.
Truppi is inclined to agree, saying that the power of blockchain shines when used with a system like Swift, ensuring that transactions aren’t manipulated or fraudulent. “What I imagine is some sort of quasi-centralized cryptocurrency for the large major banks. That’s where I see that application of [blockchain],” says Truppi. “I imagine like eight or ten central banks supporting the infrastructure for that, but then the transactions themselves are somewhat decentralized, so you have this model where there is still trust in the infrastructure.”
Unlike conventional warfare, cyberwarfare has yet to attain its own rules of play.
There are no borders, no guidelines — just ever-intensifying hacks that push the boundaries of what small groups, organizations, or even nation states can unleash without putting physical boots on the ground. Our digital addiction is only making a serious financial attack scenario more likely. “As we speed into a world where everything is digital, we embrace technology to manage the tasks we used to do manually. We want everything at our fingertips, easy, simple, and interconnected,” ESET’s Mark James says. “For a large-scale attack to succeed, the core infrastructure will need to be taken down; as we move toward an interconnected city, this is only going to get easier.”
Despite emerging technologies, defending against cyberattacks is an incessant game of cat and mouse, with attackers and defenders finding new ways to outsmart each other with updated software and innovative attack vectors. Even if banks are relatively safe compared to other infrastructure hubs, institutions around them will be targeted, say Truppi and McGregor. “Secondary industries and those third parties that are supported by the banks” will come under fire, they say.
By the nature of its newness, it’s nearly impossible to accurately predict what a cyberattack on a country’s financial institutions would look like. Yet we can be certain about one thing: Along with electricity, transport, medical facilities, telecommunications, and water, a nation’s financial infrastructure is crucial to the smooth running of today’s society. Emerging cyber superpowers, be they malicious groups of hackers or governments exploring new types of warfare, are now a constant, prevalent, and very real threat.
“We’re going to see more from North Korea, based off of the rhetoric,” warns McGregor. “They’re not connected to the economy of the Western world. They kind of want to push the envelope. They’re posturing, and they’ve proven to be able to disrupt markets. And because the Western world hasn’t created a red line for cyberattacks, what is that cyberattack that results in a kinetic attack?” asks McGregor.
“What cyberattack results in a missile down range?”