Sapsiwai - Fotolia

G7 sets financial sector cyber defence guidelines as attacks grow

G7 countries have agreed cyber security guidelines in response to concerns about the safety of interconnected global financial systems that are increasingly coming under attack, according to Symantec

The Group of Seven (G7) industrial powers has announced it is to set guidelines for protecting the global financial sector from cyber attacks as cyber criminals increasingly target banks directly.

The move follows cyber attacks on large financial institutions, such as JPMorgan, and coincides with a report by cyber security firm Symantec that a cyber criminal group dubbed Odinaff is targeting financial institutions worldwide with back door Trojan malware to steal money.

The group is also believed to be mounting attacks on financial institutions that use the secure financial messaging service Swift by using malware to hide customers’ own records of Swift messages relating to fraudulent transactions.

The Odinaff attacks on Swift users are similar to cyber heists in February and August, when Swift said attackers had manipulated bank software to hide evidence of fraudulent transfers, but emphasised that its core messaging system was not harmed.

The theft of $81m from an account belonging to the Bangladesh central bank in February 2016 was a watershed event, according to Alain Desausoi, CISO at Swift.

“We were surprised by the gap between the skills of the attackers and the cyber security practices in the banking industry,” he told the FT Cyber Security Summit in London.

The attacks on Swift members and other financial institutions have raised concerns by G7 members, including the UK, about the cyber security of interconnected global financial systems.

The G7 guidelines, which are described as non-binding principles, have been posted on the web pages of G7 government agencies, according to Reuters.

The US Treasury said the guidelines are aimed at encouraging regulators and financial firms to approach cyber security from a risk-management perspective.

The guidelines also call on G7 governments to notify each other about threats, co-operate to contain cyber breaches, and to monitor their own cyber security capabilities as well as regulated organisations, and public and private institutions.

Banks increasingly at risk

According to Symantec, the discovery of Odinaff indicates that banks are at a growing risk of attack, with cyber criminals increasingly displaying a deep understanding of the internal financial systems used by banks.

Cyber criminals with a high level of expertise are investing time in finding out how bank systems work and how employees operate them, and consequently pose a significant threat to any organisation they target, Symantec warned.

Since January 2016, Symantec said discreet campaigns involving malware called Trojan.Odinaff have targeted a number of financial organisations worldwide, including organisations operating in the banking, securities, trading and payroll sectors mainly in the US, Hong Kong, Australia, the UK and Ukraine, Symantec said in a blog post.

The Odinaff malware is typically deployed in the first stage of an attack using various methods, such as malicious macros, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network.

According to Symantec, these additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least the 2013 attacks by the Carbanak gang.

Read more about cyber crime

This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns, indicating possible co-operation with Carbanak, the Symantec researchers found.

These attacks require a large amount of hands-on involvement, with methodical deployment of a range of lightweight back doors and purpose built tools onto computers of specific interest, the researchers said.

They found there appears to be a heavy investment in the co-ordination, development, deployment and operation of these tools during the attacks. The attacks also use custom malware tools, purpose built for stealthy communications, network discovery, credential stealing and monitoring of employee activity.

Although difficult to perform, Symantec said these kinds of attacks on banks can be highly lucrative, with estimates of total losses to Carbanak-linked attacks ranging from tens of millions to hundreds of millions of dollars.

“The initial attack on users of the Swift network earlier in 2015 clearly indicated that the financial services industry faced increasing risk from advanced cyber assaults,” said Joe Fantuzzi, CEO of risk management firm RiskVision.

“This latest development is not only a continuation, but confirms that the risk will likely increase. By now it’s clear that even the highly regulated banking industry isn’t immune to attack, especially if security infrastructure belonging to its partners, business associates or industry counterparts isn’t up to par,” he said.

In light of anticipated attacks against the financial services industry, Fantuzzi said it is imperative that banks and other financial institutions get a clear picture of their risk posture, which includes identifying all of the vulnerabilities that leave them open to these attacks, and prioritising those for remediation.

Old-school robberies for the digital age

A complete rethink of out-dated payments architectures, including Swift, is long overdue, according to Kevin Bocek, chief cyber security strategist at Venafi.

“These attacks are like old-school bank robberies for a digital age; the hackers are taking money right from the bank’s safe. This is a shift from previous attacks that have been more focused on stealing from banking customers,” he said.

Bocek said financial and other organisations need to understand that cyber attackers are abusing the systems of authentication, privacy and control that were introduced to establish trust on the internet.

“Attackers are essentially turning our defences against us. The perfect disguise for any bank robber is to have a valid security badge and credentials,” he said.

“Criminals want to gain trusted status and go undetected for long periods, they are therefore targeting cryptographic keys and digital certificates as they help them to gain access to even higher value targets than ever before and remain undetected.”

A critical step for financial institutions to mitigate the risk of breaches such as these, said Bocek, is to make sure they are able to determine who and what can and cannot be trusted.

“Only by understanding how this system of digital trust that depends on keys and certificates was breached can we hope to secure the global banking system of the future,” he said.

Read more on Hackers and cybercrime prevention