The financial industry is persistently under threat from physical and cyber attacks due to the highly tempting rewards for criminals. According to a recent survey report by Carbon Black, over 51% of attacks reported by security professionals in the 90 days prior to the survey were in the financial industry. Each threat actor has their own motives for attacking financial organizations, including obtaining valuable information, stealing monetary assets, gaining political power, and more.
In this article, VerSprite Threat Intelligence consultants synthesize three overarching motives the top threat actors have for targeting the financial sector. Along with the outlined motives, each section breaks down security gaps that these threat actors might attempt to exploit to achieve their goal. Additionally, VerSprite analysts have created an interactive financial sector attack tree you can use to see the flow from motive to attack vector.
The most obvious reason criminals target the financial industry is to extract information and gain monetary value. When considering attackers’ motivations for stealing data and money, it is necessary to investigate physical attacks on financial industry assets, which are often targeted by both Organized Crime groups and individual threat actors.
Currently, it is commonplace for Organized Crime groups to target both the physical facilities and the personnel of the financial institution they are corrupting. When targeting these two groups, criminals may focus on physical assets such as security cameras because their constant surveillance pose a layer of threat to any crime committed. To eliminate a physical asset, like security cameras, malicious actors may obstruct a camera by moving the angle, placing something in front of it, or outright destroying all cameras in the target area.
Not only do Organized Crime and individual threat actors pursue physical facilities, but they also target personnel. By using social engineering techniques and converting individuals to insider threat agents, the outside threat actors are able to gain access to areas that require authorization and access management bypasses.
Insider threat actors are a higher value target because their insider knowledge provides heightened access to valuable information. For example, when impersonating a trustworthy source, threat actors are more successful in their social engineering tactics like phishing (email), vishing (phone), and forged security clearance methods. Their knowledge of the organization pivots the attack surface from simply obstructing cameras to more profound espionage methods like reconnaissance, tampering of information, destruction of systems through malicious code, and exfiltration of restricted data based on access levels attributed to the insider.
Individual threat actors may also have the means to physically target entities such as ATMs, Kiosks, and Teller workstations. Patterns of tampering can lead to the distribution of malicious code or devices that steal money from client accounts. Skimmers and cameras are paramount in this area. Malicious code can be installed onto the kiosk or teller workstations to exfiltrate financial information by utilizing keyloggers, screen recorders, and Command and Control (C2) software.
While insider threat actors provide the most successful avenue into the financial firm’s assets, these threats must be carefully selected and cultivated. Corrupting an individual requires more background work than hacking into a system and moving a security camera. Instead, it requires extensive research, various blackmail methods, and bribery attack pattern techniques to successfully sway a person’s interests in your favor.
Extracting information and gaining financial assets is a common motive for Organized Crime and threat actors to attack financial firms.
Threat actors are not the only group targeting financial institutions. Hacktivists, Organized Crime actors, and State-Sponsored organizations are always a threat to the technical resources of financial organizations. In general, each threat organization has a specific reason to target financial firms’ technical resources. For one, Hacktivists may target financial organizations because of their client list or to steal an individual’s or organization’s financial details. Organized Crime may target to steal data and for financial gain; and State-Sponsored organizations could target another nation’s the financial institutions for purposes of disruption, financial gain, or bypassing trade restrictions. Additionally, espionage is a concern, either from the organization’s competitors or the competitors of a client.
At the top of the resources list that Hacktivists, Organized Crime, and State-Sponsored organizations want to target is data from databases and servers. Due to the financial nature of this information, it is a hot target for attackers. Access to servers and databases is likely an attackers’ goal because of financial information processed and stored on these assets. Data theft, modification, and destruction are all possible.
When targeting financial data from databases, satellite offices are an easier target due to them being small, numerous, and away from the main office. This creates an opportunity for IT assets and training to be neglected, allowing for easier access to valuable information. Unpatched systems and bad habits are more likely to fester here, causing these offices to be vulnerable to known exploits and user credential theft.
Satellite office user credentials can be stolen through phishing, form jacking, and XSS attacks. Once a user’s credentials are lifted, they can be used to imitate that user to access organizational resources. This access may allow attackers to further enumerate and potentially pivot or escalate privileges by exploits and found misconfigurations. Access to a satellite office’s infrastructure may allow access to resources beyond that office, allowing an attacker to further work their way through the institution’s IT resources.
The surface area of many financial firms is vast, providing many access points for Hacktivists, Organized Crime, and State-Sponsored organizations to penetrate and steal valuable data.
In our modern technology-centric economy, data is power. Corporate competition and State-Sponsored threats consistently target the resources of financial organizations with the intention to data-mine for personal and political gain. With the prolific use of mobile apps and APIs, these actors understand that customer information, market trends, and even proprietary information can be gleaned from man-in-the-middle attacks. The ability to gather this information – sometimes without blatantly violating legal statutes – is an irresistible target to many State-Sponsored and competitor threats.
In comparison to competitors, State-Sponsored actors are less averse to more direct data-gathering efforts. They will more brazenly directly attack logins, and track users, and harvest credentials through mal-advertising. Their direct attacks accomplish a couple of goals. One, the data of users and organizations, and two, these attacks can directly lead to monetary theft increasing the funding for the sponsor state. North Korea is an example of this as, according to news sources, they have acquired an estimated $300 million from such efforts.
When it comes to website hacking, State-Sponsored actors are also more likely to take a forceful approach. They specifically attack login pages, infecting users with malware which can attack login pages from the company’s own users’ assets. Man-in-the-middle attacks also assist in gathering sensitive information in transit.
To contrast, competitors take a stealthier approach to stealing data. They may attempt to gain an advantage from stealing data that is improperly secured on websites. This takes the form of targeting transaction pages or even exposed databases.
Where competitors State-Sponsored actors’ methods overlap is with their use of the Denial-of-Service attacks. This practice, which forces machines or networks to shut down, can directly disrupt business at critical junctures. This shutdown, however brief, can give a decisive edge to competitors. State-Sponsored actors can use this to give friendly companies a competitive advantage, where every moment can mean the difference of millions in lost or gained revenue.
In short, these malicious actors use various methods – stealthy and direct – to upend a financial institution’s standing and to gain power.
This article highlights the various motivations and methods that threat actors have when attacking financial organizations. All the potential threat organizations mentioned in this article seek to gain the same things – information, money, and power – which the financial sector holds in droves. The stakes are high, and the reward is as well, which has caused attacks on the industry to increase in number and sophistication even in the last year alone. With the increase in reward, number of attacks, and sophistication – the response of the physical and cyber security protecting financial organizations needs to increase as well.
To do this, adequate offensive and risk-based security measures must be put into place. Using outside security consulting companies like VerSprite to support and expand the in-house security and IT teams efforts is the most effective way to ensure company data remains secure. We have shown success using an organizational approach to protecting financial institutions that assess and prioritize risks unique to the business impact, using methods such as organizational threat models, red teaming, vSOC monitoring, advanced penetration testing, and security awareness training. Threat actors will still have their motives for attacking the financial industry, but with a holistic and offensive security program in place, their level of success decreases substantially.
Click the orange triangles on the attack tree below to expand each motive. This will expose the threat organizations most likely to attack financial institutions and the method in which they exploit security gaps.
VerSprite’s security consultants work with financial institutions to expand and support in-house security and IT teams’s efforts. Talk to our advisors today to put your security protocols to the test. Inquiry Now →