If a cyber war were to break out between nation states, would critical infrastructure, including financial systems, be afforded the same level of protections as they are in conventional warfare? Anita Hawser investigates.
When countries go to war, there are international rules and norms with which they must comply, designed to protect critical infrastructure such as schools and hospitals from attack. While countries may not always comply with these rules, in general most know certain targets are off limits.
But unlike hospitals, which are protected under the Geneva Convention during wartime, financial infrastructure is not, despite being of great importance for the normal functioning of society. And while the world may not be at war, at least not in the traditional sense, some analysts point to a growing number of cyber attacks seemingly sponsored by nation states, which are threatening infrastructure such as ATMs and financial networks.
“If you’re talking about major cyber attacks that could cause a loss of life, destruction of property, the threat of exclusion or a kinetic effect, then cyber attackers are pushing the boundaries,” says William Carter, deputy director of the technology policy programme at the Center for Strategic and International Studies in Washington, DC, and author of October 2017’s Swift Institute working paper, Forces Shaping the Cyber Threat Landscape for Financial Institutions.
Malicious code
In June 2017, the Petya malware disabled ATMs and disrupted the operations of state-owned Ukrainian banks. A month earlier, the so-called WannaCry ransomware (a ransom, usually in Bitcoin, is demanded to de-encrypt computer files) infected more than 230,000 computers in 150 countries, including those of the National Health Service in the UK. The US and UK governments blamed North Korea for these attacks.
Sean Kanuck, a former US Director of National Intelligence officer specialising in cyber issues and now director of future conflict and cyber security at the UK’s International Institute for Strategic Studies, says that North Korea also launched earlier cyber attacks on South Korea’s media and financial sectors.
For example, in 2013 South Korean government websites, as well as banks, suffered attacks that wiped hard drives and spread malware specifically targeting financial companies and their customers. The attacks were attributed to a gang called Fallout, which is believed to have ties with North Korea.
Three years later, security company FireEye observed a wave of cyber attacks against south-east Asian financial institutions. “The attacks happened to coincide with a ramping up of sanctions being imposed on North Korea by the UN Security Council and the US,” says Kimberly Goody, a senior analyst at FireEye.
More recently, organisations (including banks) in 31 countries were hit by 'watering hole' attacks, which use compromised websites to infect targets. The Polish financial regulator’s website was one victim. Visitors were redirected to what security software vendor Symantec describes as an “exploit kit, which attempted to install malware on selected targets”. Some of the malware used in the attacks, according to Symantec, resembled code used by the Lazarus Group, which is suspected to have ties with North Korea.
Swift action
The Lazarus Group was also linked to the 2016 attacks on banks connected to the Swift financial messaging network, which saw $81m stolen from Bangladesh Bank and attempts made to steal money from other banks in Asia and Latin America. “Nation states are robbing banks,” Richard Ledgett, former deputy director of the US National Security Agency, is reported to have said following the Bangladesh heist, referring to the fact that researchers had drawn links between the group that attacked Bangladesh Bank and the 2014 Sony Pictures hack.
According to Symantec’s May 2017 report on financial cyber threats: “The Lazarus attacks that took place in 2016 represented the first time that there were strong indications of state involvement in financial cybercrime.”
The sophistication of hackers has steadily increased since the Bangladesh incident. Karel De Kneef, director of security operations at Swift, says this is why the consortium decided to work with security vendor BAE Systems to write a joint report. The report, published in November 2017, describes in forensic detail how hackers are gaining administrative control of certain operating systems within banks and bypassing authentication, which makes them appear as a genuine user on the system.
In response to the Bangladesh Bank attacks, Swift also implemented a customer security programme and issued controls that member banks must comply with. “We’ve created a high baseline of controls that need to be put in place,” says Mr De Kneef. “All existing customers need to self attest against the controls and any new customers joining Swift need to implement the control framework before joining.”
Banks can make it harder for attackers to gain control of their systems, but Mr De Kneef says there are zero-day exploits (software vulnerabilities that are exploited before security patches are released by developers) within the technology stack, which makes it difficult to predict what will happen in future. “We’re dealing with sophisticated attackers,” he adds. “The general cyber threat in all its forms is rising, whether it is from nation states or other groups.”
Evolving threat
Dries Watteyne, head of customer security intelligence at Swift, says hackers continue to advance their tools and techniques in each attack they launch, even those that fail. “We see that some attacks fail because the attackers haven’t yet learned from their mistakes, but whatever improvements are made, the attackers can learn and adapt,” he explains. “As such, banks can’t just rely on providers improving their software or issuing patches. Customers also need to raise the security bar.”
While state-sponsored actors’ targeting is more focused, Cristiana Brafman Kittner, a principal analyst at FireEye, says it is sometimes challenging to determine whether the motivation is espionage. “At least in the case of North Korea, some of its cyber espionage activities appeared to be aimed at providing financial gain for the regime, given tightening international sanctions,” she says.
North Korea is not the only nation state that has targeted financial institutions to further its economic and geopolitical interests. In 2012, the online banking sites of several large US banks were targeted by a series of distributed denial of service (DDoS) attacks that were attributed to Iranian agents. “When there were the DDoS attacks on US banks, it could be argued that Iran responded because it felt its financial sector and critical infrastructures had been attacked by the West,” says Mr Kanuck.
Mr Carter maintains that nation states are the most dangerous adversaries for financial institutions. “They have the greatest capability to launch the most disruptive and damaging attacks,” he says. In the past, nation state hackers may have targeted government networks, military systems and intelligence targets.
In the Swift paper, Mr Carter writes that state actors are increasingly focused on the financial sector as a means of influencing their adversaries. The same report also cites US intelligence figures, which estimate that there are now more than 30 countries developing cyber offensive capabilities, in addition to those countries – Russia, China, Iran, North Korea, the US, the UK and Israel – that already possess them.
Targeting infrastructure
As the sabre-rattling among nation states in cyberspace ramps up, what are the implications for financial networks and other critical infrastructure? “Nation state attacks are just another cyber threat,” says Bill Nelson, CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC), which specialises in cyber and physical threat intelligence analysis. “They use the same tactics as other attackers: ransomware, extorting money out of a company, and getting people to click on a link.”
But with countries ramping up their capabilities to use technology offensively – a cyber bullet, if you will, in a military conflict – are banks and financial networks likely to get caught in the ensuing crossfire? Mr Kanuck says the US, and most NATO countries, are unlikely to launch a cyber attack against another country’s financial infrastructure, even as a defensive posture. “It would have a high threshold, and require sign-off by the US president,” he says. But, as he points out, technology operates in a grey area. “It’s a delicate situation where some countries are pushing the limits of cyber espionage and testing the waters.”
There is a certain element of conservatism among Western powers, says Mr Kanuck, in using technology offensively, as they fear a retaliatory response or systemic disruptions. However, countries such as North Korea operate outside the global financial system and may be more willing to take that risk, according to Mr Carter. “But given that the North Korean state is dependent on external financing, it would be somewhat suicidal to destroy the financial system that supports the rest of the world,” he says.
In the realms of cybersecurity, the interconnectedness of global financial networks could be viewed as a weakness. But in some respects, it could also be its saving grace. “People ask me if China is likely to attack Swift or the US financial system,” says Mr Kanuck. “I say most likely not, as China wants us to keep paying interest coupons on US Treasury bonds.”
Mr Carter says he worries more about an accident, rather than an intentional cyber attack, causing a major financial crisis. “What if there was a major breach that corrupted data and caused financial institutions to question the integrity of that data, or a DDoS attack that cut off customer access to data? That could cause a bank run and have significant economic ramifications,” he says.
Ms Goody at FireEye does not believe the goal of cyber criminals is to bring down ATMs or financial networks. “We primarily observe financial institutions being targeted for monetary gain or for information gathering,” she says. “When it comes to DDoS attacks, most major financial organisations are well protected.”
Working together
One of the ways banks protect themselves is by sharing intelligence about cyber threats. Back in 2012, when US banks’ online operations suffered a series of DDoS attacks attributed to Iran, Mr Nelson says the FS-ISAC saw an immediate spike in membership. “Those that were not members quickly joined. Everybody helped each other,” he says. The organisation now has approximately 7000 members from 40 countries, with the strongest representation in North America, western Europe and Asia-Pacific. “Information sharing is just one piece of the pie,” says Mr Nelson. “We don’t require all banks to share information; we share just enough information to protect each other.”
Swift’s Mr Watteyne agrees that there is a need for the financial services community to work together to address the cyber threat. “Hackers know which countries exchange information easily and those that don’t,” he says. Swift reports that it actively shares information with its customer base and has been asked to join information sharing groups.
But Mr Watteyne emphasises that security is not purely up to Swift. Ultimately, banks need to actively participate in these groups as well. Mr De Kneef reports recent instances when smaller and less sophisticated bodies have responded quickly to attempted cyber attacks and communicated better among themselves to thwart the criminals, thereby minimising the impact.
The FS-ISAC is also part of Sheltered Harbor, a voluntary initiative by the US financial services sector to protect consumer account information by requiring it to be stored in a private data vault that is encrypted and protected from alteration. “We’ve devised rules around maintaining customer data in a vault,” says Mr Nelson. “It is a separate system. So, if there was a destructive malware attack, we’re not waiting for the regulators to tell us what to do.”
International ties
There is also a growing chorus of global voices calling for the establishment of international norms in cyberspace to protect critical infrastructure such as financial networks during peacetime. In a 2015 report, a UN group of governmental experts on international security called on states not to “conduct or knowingly support activity that intentionally damages or otherwise impairs the use and operation of critical infrastructure”.
In March 2017, finance ministers and central bank governors from the G20 countries issued a communiqué that talked about the need to “promote the resilience of financial services and institutions in G20 jurisdictions against the malicious use of information and communication technology, including from countries outside the G20”.
The Carnegie Endowment for International Peace took the communiqué a step further by proposing that countries agree not to “conduct or knowingly support any activity that intentionally manipulates the integrity of financial institutions’ data and algorithms wherever they are stored or when in transit”. While countries may sign up to these charters or norms, Mr Kanuck says there is no guarantee that they will adhere to them.
Likewise, Mr Nelson believes that establishing international norms may be useful in terms of punishing a country that violates them by imposing sanctions or other forms of repercussions, but not all countries will follow the guidelines. “What defines cyber war?” he asks. “The malware attack on Sony Pictures, was that cyber war? No one knows where the red line is, so putting it to the G20 is a good first step.”
