Nobody knew the banks had fallen.
Overnight, unknown attackers had hijacked the websites and online customer portals of every single bank in the country. From the outside, nothing seemed amiss. In reality, a cyberheist on an unprecedented scale was underway.
The attackers were stealing login credentials from unsuspecting customers who thought they were visiting their banks websites but were in fact being redirected to bogus reproductions thanks to the hackers modification of the banks Domain Name System registrations. The spoofs even went so far as to display fraudulent HTTPS certificates the Internet equivalent of a fake ID.
The attackers weren't just pilfering login credentials, though. Customers were infected with data-stealing malware from the hijacked bank websites, while the attackers simultaneously redirected the information of all ATM withdrawals and point-of-sale platforms to their own systems, hoovering up even more credit card information on the nations unsuspecting citizens.
The first to notice were Twitter users. They read and reread the tweets, unsure what the message meant.
Only we can give you security. Only we can give you freedom.
The missive was tweeted out from the accounts of the state banks at 03:00:00 UTC. Likes and retweets racked up by the hundreds, then thousands, in a matter of seconds. Prominent security researchers at first assumed it was just the banks Twitter accounts that had been hacked. They were quickly dissuaded of such a comforting notion: As the retweets passed 10,000, the accounts started linking to data dumps containing the credentials of thousands of transactions collected during the night. A sociopolitical campaign of implanting distrust was in full swing.
Only we can give you security. Only we can give you freedom.
Every news channel across television and radio that morning had its top story: A large-scale hack of the countrys banks had compromised the details of hundreds of thousands of customers. Trust in the already weakened economy took a nosedive.
The worst was yet to come. It wasnt long before the issues at the stock exchange started.
The attackers had infiltrated the exchanges internal network through an obviously exploitable flaw: compromised emails and passwords from managerial administrators working for the banks. When markets opened, the attackers started pulling out sell and buy orders, and triggered a short sell of government bonds. Rapid fluctuations started destabilizing the entire countrys economy within minutes; billions were wiped off the regions largest companies market valuations.
The market shuddered, then crashed. Fraught nerves in the financial industry snapped as trading was suspended entirely, the exchange only realizing its circuit breakers implemented explicitly to prevent volatile crashes were also maliciously altered by the attackers. Sinking valuations sent those who held collateral scrambling to find extra funds; commercial paper markets, the funding lifeblood of many large companies, seized up.
Social media and 24-hour news meant the run on banks came in just hours. Unlike with other crashes seen around the world, however, the national bank hadnt planned any form of emergency bailout. Already underperforming private banks certainly werent prepared. The lines stretched for blocks, but the ATMs were empty.
With the capital citys new smart transport system, the country had inadvertently given the attackers an easy access point to sow turmoil in the streets. Traffic lights stopped working; the metro ground to a halt. Any backup power systems keeping the country running were shut down less than an hour later by another attack, this time targeting water treatment plants and gas stations dotting the countryside. Every centralized government infrastructure system had been compromised to make the attack on the economy more powerful. This was all in the first four hours. The money stopped for two weeks. The effects could last a lifetime.
On the morning of November 12, 2015, cyberforces representing the U.S. and the U.K. commenced a joint exercise, the culmination of more than eight months of meticulous planning. Government and independent cybersecurity researchers, working alongside leading global financial firms, simulated their worst-case cyber scenario: a large-scale, coordinated attack on the financial sectors of the Western worlds biggest economies one that could easily play out like the hypothetical attack just described.
Operation Resilient Shield, as the exercise was dubbed, was part of a transatlantic political maneuver on cybersecurity reflecting the importance of international cooperation in cyberspace, a necessity in the age of intertwined, globalized, and wholly digital financial infrastructures.
Players of this war game although the governments of both countries were eager to avoid using that phrase included the Bank of England, the U.K. Financial Conduct Authority, the White House National Security Council, the U.S. Department of the Treasury, the U.S. Secret Service, and the FBI. The Board of Governors of the Federal Reserve System, the Federal Reserve Bank of New York, the Federal Reserve Bank of Chicago, and practically the entirety of the U.S. intelligence community also participated in the mock doomsday scenario.
While the British government had previously assaulted financial institutions with sustained mock cyberattacks back in 2013s Operation Waking Shark II, Resilient Shield played out a different, seemingly more urgent, strategy. Rather than a what-if scenario, Resilient Shield was more akin to a when scenario. The essence of the operation wasnt to prevent a cyberattack, but to rehearse what actions should be taken when a cyberattack occurs on critical banking infrastructure.
So when, just mere weeks later, tens of thousands of Ukrainians were plunged into darkness following the worlds first large-scale cyberattack on a countrys utilities infrastructure, Operation Resilient Shield seemed almost prophetic. But the intricate, multistage attack on western Ukraines Prykarpattyaoblenergo power supplier which shut off power for hours to more than 80,000 residents was just a warning shot. That day, December 23, 2015, would not remain an anomaly.
Cyberattacks, traditionally carried out by gangs of hackers and thieves eager to make a quick buck out of poor Internet security, have now become the weapon of choice for political groups, terrorist organizations, and even the worlds governments and militaries. The target: our infrastructure.
What happens when banks become the target and the money stops?
Banks and financial institutions are not strangers to cyberattacks. A March 2017 report commissioned by Accenture found that a typical financial services organization will face an average of 85 targeted breach attempts every year, a staggering third of which will be successful. Financial institutions across the world are a constant target for attackers, from nation-state hackers looking to cause disruption to old-fashioned criminals looking to steal vast sums of money, says Lee Munson, a security researcher at Comparitech.
Perhaps the most notorious case to date is the February 2016 hack of Bangladeshs central bank, which saw hackers make off with more than $80 million after exploiting vulnerabilities in the Swift global bank messaging and communication system.
The attackers were able to access Swift using credentials of Bangladesh central bank employees, and sent fraudulent transfer requests to move the stolen money to bank accounts throughout Asia. The FBI suspects it was an inside job; other security experts point toward North Korean involvement.
Three years prior to the Bangladesh heist, a South Korean bank (along with three South Korean television networks) was hit by a cyberattack that knocked out mobile payments and cash machines in the country. Investigators concluded that the malware used in the attack, called DarkSeoul, was most likely the work of North Korea in collusion with China. During the attack the Internet servers of Shinhan Bank were blocked, and a handful of other national banks were also hit when several of their branches were targeted with viruses that took their computers offline.
Back in Ukraine, less than two years after the initial attack on its power infrastructure, a cyberattack yet again crippled the country. This time the aggressors didnt stop at the states energy supplier. On June 27, 2017, a devastating strain of ransomware a computer virus that locks down users files rapidly spread throughout the country, knocking out computer systems across government infrastructure, airports, and national banks. The virus, dubbed NotPetya, acted just like the WannaCry ransomware that had plagued hundreds of thousands of computers across 150 countries one month earlier.
As a result of cyberattacks, these banks have difficulties with customer service and banking operations, an urgent statement rushed out from the National Bank of Ukraine said during the attacks. The national bank is confident that the banking infrastructures defense against cyberfraud is properly set up and attempted cyberattacks on banks IT systems will be neutralized. The message did little to quell concerns.
Ukraines state postal service was also affected, and metro passengers in the capital, Kiev, were unable to pay using their banks debit cards. ATMs were also offline around the country. In just a matter of hours, the country was in utter chaos. Ukraines state security service, the SBU, pointed the finger at Russia, an accusation backed up by several cybersecurity vendors. The available data, including those obtained in cooperation with international antivirus companies, give us reason to believe that the same hacking groups are involved in the attacks, which in December 2016 attacked the financial system, transport and energy facilities of Ukraine, said the SBU, referring to the original power grid attack. This testifies to the involvement of the special services of [the] Russian Federation in this attack.
While traditionally used to profit by duping victims into paying to release files, this particular ransomware was instead a vehicle to cause mass disruption on a countrys infrastructure. What was witnessed in Ukraine first in 2015, and then again since, is just a taster of whats to come.
Some predict a large-scale attack on a nation states entire infrastructure, penetrating and disrupting the countrys economic core. The stock exchange or a single central bank may be attacked, destroying trust between the countrys lenders, citizens, and governments. The broader economy as a whole could become unstable, eventually showing cracks as consumers stop buying and hoard cash as power networks and transport links go offline.
No one expects to see blackouts in this day and age but it happened, says Pascal Geenens, a security expert at security firm Radware. If the utilities were to be targeted at the same time as the financial and government networks, all hell would break loose. There would be panic as peoples homes come under fire, panic as people try to grab their money, panic as people try to protect their citizenship. Bottom line is that anything connected to a network is a risk.
While its relatively easy to imagine a hacker remotely infiltrating the network of a power station and manually switching off the safety limits on a reactor, its harder to imagine how exactly a cyberheist of a financial institution or a central bank would go down. Similarly, cutting the power has an obvious impact on citizens. But what would be the effects of a major bank suffering from some form of attack?
When looking at an attack, you actually have to look at why. A lot of times theres a destructive side of it, says Andre McGregor. When youre looking at foreign nation states and why they would attack a banking institution, you have to think about how those states are economically entwined.
McGregors calling me in London from New York City. His colleague, Jason Truppi, is also on the phone. The two are former FBI cyber special agents, experts in criminal and counterintelligence cyber techniques with decades of combined frontline experience responding to serious national security issues, corporate data breaches, hacktivism, and cyber extortion. They now work at Tanium, a U.S. cybersecurity company that helps protect and advise some of the worlds largest financial organizations. Its customers include 12 of the worlds 15 biggest banks, Aon, PwC, eBay, Amazon, and the intelligence agencies of the U.K. and the U.S.
Iran was a good example of that, says McGregor, referring to the seven Iranian hackers charged in early 2016 with carrying out distributed denial-of-service (DDoS) attacks against 46 U.S. banks and financial institutions throughout 2011, 2012, and 2013. But of course theres a financial-gain perspective as well. Like North Korea and Swift.
Between them, McGregor and Truppi have investigated dozens of cyberattacks against U.S. financial institutions, and they say that working out why a bank might have been attacked often leads to discovering who attacked it, and how. A good example: China is not going to hack United States infrastructure and take down the trading platform, because that would affect them economically, says Truppi. What China would try to do is hack banking institutions and gain the upper hand with information, maybe information on mergers and acquisitions or other information on companies.
On the other hand, Truppi says, attacks like those purportedly deployed by North Korea on South Korea are designed to wreak havoc on society. The reason they have been able to take those destructive approaches is because theyre not economically entwined with the U.S. in any way, shape, or form. Its making a statement, he says.
In our fictionalized scenario, a countrys financial infrastructure has been targeted to cause maximum disruption. But how exactly would the attackers nation state or otherwise go about achieving this?
There are many different forms of an attack, but youve got to think about how a banking institution has been positioned on the Internet. They have to interface with customers, right? says Truppi. Thats the primary location of where most banks get attacked. And thats because those areas are accessible to most people around the world. Its accessible to a customer of the bank but also to a hacker sitting somewhere else. For years banks have been targeted through web-based login portals and other Internet applications, exposing them to a range of cyberattacks, such as DDoS, fraudulent transfers, and attacks where sensitive information is raided and stolen. Its a financial institutions Achilles heel.
Once in, damage can spread. Financial institutions that offer interconnected services are at a high risk due to the way their systems have to communicate and interact with each other, says Mark James, a security specialist at Slovakian security firm ESET. Malware writers are very aware of how this works; one successful infection or compromised machine inside a network could cause a cascade effect that could cripple infrastructures like we saw with Petya.
But in the era of tweeting presidents and globalized social media, banks arent just vulnerable from the inside: Experts dont discount the role fake news or other propaganda could have in a disaster scenario involving an attack on financial infrastructure.
Agnia Grigas, an energy sector and political risk analyst who focuses on the U.S. and Eurasia, points to the widespread 2007 cyberattacks in Estonia as evidence of this. The attacks, which some blamed on Russia, were merely proving grounds for organized DDoS campaigns on a countrys media and government. Estonias banking systems, parliament, and media were all targeted in a widespread propaganda and misinformation campaign dubbed a cyber riot that shook the country for days.
[Attacks] could become quite potent when used in combination with information warfare and propaganda, Grigas says. Essentially, if you hack into a system, like a media system, and you put on some fake news or fake reports that is less sophisticated than taking down an entire system, but it can be just as potent by causing commotion and confusion.
Fake news has on numerous occasions caused financial disruption in the real world. In April 2013, hackers accessed the Twitter account of The Associated Press and tweeted out a message that the White House had been bombed and Barack Obama had been injured. Almost $140 billion was temporarily knocked off the stock market.
Once an attacker has a foot in the door, the possibilities are nearly limitless. The first port of call is to look for any weaknesses in IT administrator privileges at a particular bank or company, followed, perhaps, by spear-phishing attacks on other administrators to rack up credentials to access more systems. The attacker can then use these new privileges within the network to deploy malicious software where data can be scooped up, manipulated, or even destroyed.
Any countrys economy is based on trust, says Alan Levine, a security adviser at Wombat Security Technologies, a U.S.-based cybersecurity training company. Shake this confidence and any economy would shudder, weaken, and potentially begin to fail. There would be runs on banks and exchanges, consumers would stop buying and hoard cash, treasuries and other bonds would be weakened, and this downward cycle would feed upon itself, eating away at the fabric of the economy.
The deployment of malware inside a banks systems could devastate an economy if the bank isnt prepared. Moreover, a multistage bank attack like that used in the Bangladesh Swift hack could funnel billions away from customers while a smokescreen of disaster has authorities preoccupied. A Russian criminal hacking group known as Cobalt has already been successful in targeting hundreds of banks with malware and phishing attacks across Europe, stealing millions. By attacking a financial exchange, a criminal group like Cobalt can pump or dump stocks, incentivizing purchase or sale of shares in certain companies in a way that causes rapid fluctuations in share price, says Alex Mathews, lead security evangelist at cybersecurity firm Positive Technologies.
Former FBI agents McGregor and Truppi confirm that the consequences of a cyberattack on a countrys economy would be devastating. I look at something like Bernie Madoff, where we had one individual that had such a significant negative impact on the market through his Ponzi scheme that sent a ripple through all industries, says McGregor. Thats just one person.
Truppi refers to the disorder caused after South Korean banks were attacked in 2013. Residents were unable to withdraw cash from ATMs. Thats a pretty scary situation, especially for electronic transactions, he says. The majority of transactions are still via cash, at least in the U.S. economy. But were slowly moving toward electronic-based transactions, and if you cant make a transaction for one day, its not that big of a deal. But two days, four days, two weeks which is what happened in South Korea thats scary. Truppi and McGregor also believe cyberattackers could easily take advantage of the very integrity of data. Looking at markets, how do we know that the data were looking at is actually the data that is real and true? asks McGregor. We trust it, but if I were going to disrupt a market, as a bad guy, why not change the numbers?
But in protecting banks against an attack, the duo is confident. Andre and I have spent an enormous amount of time with banking institutions and how they protect not only trading platforms for stock exchanges but also internal banking applications, says Truppi. Generally speaking, I think that banking institutions are pretty well positioned to protect that to a high security level, and what that means is that its not easy for an attacker to infiltrate a bank and take down a stock exchange. Unlike other industries like water and gas, the financial industry has the cash to spend on the best cybersecurity. Banks have always been ahead of the curve with technology because, quite frankly, they have the money to do it, says McGregor.
This sentiment echoes Grigass opinions. When asked what the financial industry could learn from an industry thats already been compromised with a powerful attack, like the energy industry, she replies, I think its the energy sector that can actually learn more from the financial sector.
Its mid-August and the cooling breeze is already anticipating autumn in Londons Greenwich Park. Standing on Observatory Hill looking north over the River Thames, the impressive skyline of Londons iconic Canary Wharf looms in front of us. The risk of cyberattack comes from centralization of infrastructure and authority, the man next to me says. I think that the issue with centralization is the lack of diversity it creates, both security and otherwise. We all learn that diversity is good from an evolutionary perspective it supports resilience. The problem is that diversity is messy, and that is really abhorrent to a lot of people, and confusing to everyone.
Daniel Ames is core team member at European cryptocurrency project Crown. He is a believer in a decentralized future built upon the distributed-ledger technology of blockchain, the same technology that gave Bitcoin its star status. The risk we have in our society right now the biggest risk, cybersecurity and otherwise is leaving people behind to be dependent on centralized systems.
Looking over the river toward one of Londons major business districts with its aging, steel towers, its easy to forget just how vulnerable todays world is to cyberthreats. Like honeypots, centralized infrastructures, including central banks, make juicy targets for attackers. But blockchain is decentralized and people like Ames argue that by virtue its more secure.
Blockchain technology allows for secure transactions of money and other assets thanks to a ledger system thats distributed over the Internet. Not only useful for actual money, blockchain can also store any digital assets across numerous computers spanning networks, publicly recording all transactions. Its a stark change from putting your trust in a centralized bank or government service, but thats where blockchain supporters see its success. Combined with the cryptographic qualities that make blockchain secure, the technologys invulnerability to tampering or alteration prevents cases of fraud and data manipulation. The decentralized technology has another boon too: With no single attack surface, its almost impossible to shut down a target with a DDoS attack.
This is why billions have already been pumped into the technology by most of the worlds leading banks and financial institutions. Looking further into the future, blockchain and cryptocurrency are both part of a grander ideal for Ames, who sees the entire banking industry turned on its head by the technology.
Truppi is inclined to agree, saying that the power of blockchain shines when used with a system like Swift, ensuring that transactions arent manipulated or fraudulent. What I imagine is some sort of quasi-centralized cryptocurrency for the large major banks. Thats where I see that application of [blockchain], says Truppi. I imagine like eight or ten central banks supporting the infrastructure for that, but then the transactions themselves are somewhat decentralized, so you have this model where there is still trust in the infrastructure.
Unlike conventional warfare, cyberwarfare has yet to attain its own rules of play.
There are no borders, no guidelines just ever-intensifying hacks that push the boundaries of what small groups, organizations, or even nation states can unleash without putting physical boots on the ground. Our digital addiction is only making a serious financial attack scenario more likely. As we speed into a world where everything is digital, we embrace technology to manage the tasks we used to do manually. We want everything at our fingertips, easy, simple, and interconnected, ESETs Mark James says. For a large-scale attack to succeed, the core infrastructure will need to be taken down; as we move toward an interconnected city, this is only going to get easier.
Despite emerging technologies, defending against cyberattacks is an incessant game of cat and mouse, with attackers and defenders finding new ways to outsmart each other with updated software and innovative attack vectors. Even if banks are relatively safe compared to other infrastructure hubs, institutions around them will be targeted, say Truppi and McGregor. Secondary industries and those third parties that are supported by the banks will come under fire, they say.
By the nature of its newness, its nearly impossible to accurately predict what a cyberattack on a countrys financial institutions would look like. Yet we can be certain about one thing: Along with electricity, transport, medical facilities, telecommunications, and water, a nations financial infrastructure is crucial to the smooth running of todays society. Emerging cyber superpowers, be they malicious groups of hackers or governments exploring new types of warfare, are now a constant, prevalent, and very real threat.
Were going to see more from North Korea, based off of the rhetoric, warns McGregor. Theyre not connected to the economy of the Western world. They kind of want to push the envelope. Theyre posturing, and theyve proven to be able to disrupt markets. And because the Western world hasnt created a red line for cyberattacks, what is that cyberattack that results in a kinetic attack? asks McGregor.
What cyberattack results in a missile down range?