On April 1st, President Barack Obama declared that cyber-attacks constitute a national emergency and issued an executive order sanctioning the finances of foreign-based digital intruders.
The president’s announcement was no April Fool’s Day joke. Cybercrime caused $445 billion in damages globally last year, according to a report by the Center for Strategic and International Studies, a Washington-based think tank. A Hewlett Packard-sponsored study found that the financial sector suffered the 2nd highest annual cybercrime cost behind energy & utilities.
The average financial institution incurs an annualized cyber attack expense of $13 million. The most prevalent types of cyberattacks include viruses and worms, followed by malware, botnets, web-based attacks and phishing schemes, respectively, said the study. The primary actors targeting the financial services industry are often hackers connected to crime syndicates in former Soviet Bloc countries, according to cyber security experts.
As cybercrime emerges as a dominant news headline, financial firms have become especially vulnerable to scandal. 80% of banking CEOs consider cyber attacks to be the biggest threats to their companies’ growth prospects. For an industry who’s business model hinges on the mantra of “trust,” safeguarding client account data is a matter of life and death.
At Wealth Management Today, we have assembled a guide to the five biggest cyber security failures to rock the financial services industry. Our hope is that the mistakes of the past can instruct today’s financial professionals to avoid similar blunders in the future.
The threat of malicious insiders is often overlooked in the media narrative of cybercrime. However, the antics of a Morgan Stanley financial advisor last year serve to remind us all that an organization’s greatest threat often comes from within.
The advisor, Galen Marsh, decided to download information from 350,000 wealth management client accounts from Morgan Stanley’s secure systems to his unsecured, personal laptop. Sometime later, his laptop was infiltrated by overseas hackers who took the data and attempted to sell it along with millions of other financial account records they had stolen.
The hackers posted an advertisement offering to sell the data on a document sharing site called Pastebin in December 2014. Two weeks later, they posted a sample of data from around 1,200 Morgan Stanley accounts. It was at this point that the bank recognized the breach and took action to repair the damage.
The incident came in fifth on our list of cyber security failures and is a wake-up call for financial firms everywhere.
Institutions need to implement tight data permissions that prevent employees from moving data outside of the corporate network. Also, firms need to adopt better network sensors and graph analytics applications to identify malicious insiders once they start to break bad.
Formerly identified as the highest-volume cyber attack in history, unidentified hackers launched a sweeping assault in 2012, which crashed the websites of Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank and PNC.
In these denial-of-service (DOS) attacks, hackers take remote control of hundreds or thousands of computers, referred to as ‘zombies’, which they then use to send massive amounts of traffic to unsuspecting websites.
This traffic overwhelms the routers, firewalls, and web servers that regulate companies’ network operations causing their websites to perform sluggishly or crash completely.
Dmitri Alperovitch, co-founder of CrowdStrike, a cybersecurity firm, told CNN the bank attack was “10 to 20 times the volume of data that we normally see, and twice the previous record for a denial of service attack.” Although no data was stolen, the business disruption translates into the biggest revenue loss for financial institutions.
The Islamist group Izz ad-Din al-Qassam Cyber Fighters initially claimed responsibility, but investigators expressed serious doubts about their ability to coordinate such a sophisticated series of attacks. Former U.S. Senator Joe Lieberman accused Iran of masterminding the sabotage.
3. Russian Hackers Sneak a ‘Cyber Bomb’ into NASDAQ
This money in perpetual motion makes the exchange a high-value target for hackers and justifies NASDAQ’s $10 mm-plus annual budget for cybersecurity.
Unfortunately, NASDAQ’s IT spend was not enough to prevent a group of suspected Russian hackers from installing the equivalent of a ‘cyber bomb’ into the main servers that control the exchange. The Federal Bureau of Investigation discovered the breach in October of 2010 when one of their monitoring systems discovered the malware (malicious software code) transmitting encrypted messages back to hackers in Russia.
The code had the potential to sabotage trading on the exchange, wreaking untold havoc to investors world-wide. To infiltrate the system, hackers installed two so-called ‘zero day exploits,’ attacks that take advantage of previously unknown software vulnerabilities.
Zero-day exploits are often sold on the Darknet, the digital black market, for sums ranging from the thousands to the low millions of dollars, depending on their level of sophistication. The use of two zero day exploits together suggests the attackers were working with a well-funded entity such as a nation-state. This bolsters the conclusion by the FBI that the Kremlin engineered the assault.
Analysts from the National Security Agency (NSA) found distinct similarities between the malicious software implanted in the NASDAQ and a program written by Russia’s Federal Security Service (FSB), the successor to the KGB.
The most disturbing aspect of the breach was the malware’s attack component, which is specifically designed to crash network operations. Although, no specific accusations were made officially, Bloomberg reported that investigators assumed Russian involvement in the crime. But, they ultimately determined that the Russian intent was to “clone” the exchange, not destroy it.
2. JP Morgan Chase Raided by Russian Hackers
In October 2014, JPMorgan Chase disclosed that cyber thieves had stolen account data for 76 million individuals and 7 million small businesses. Although the hackers only stole customer-contact information, the breach was still a major embarrassment for the bank, which spends about $250 million a year on cybersecurity. Suspicion initially fell on Russian hackers believed to be working for the Kremlin. But, by mid-October, investigators dismissed any connections to the Russian government.
The forensics investigation revealed that the intruders were able to penetrate the bank’s network by hijacking the login credentials of a JPMorgan employee, according to The New York Times. And the entire disaster could have been avoided had the bank been careful to upgrade all of their servers. The bank’s IT staff neglected one server, failing to update it with two-factor authentication, which creates multiple layers of passwords that together are more difficult to crack.
This single-point-of-failure created the perfect weakness for the hackers to exploit. Security analysts speculate that the unsecured server was part of a company that the bank had recently acquired. This theory should galvanize all firms active in the M&A space to chart a new course. When considering future acquisitions, network security needs to be at the top of parent companies’ and transaction advisors’ due diligence checklists.
In February of 2015, Russian cybersecurity firm Kapersky Lab announced that they had uncovered a cybercrime scheme involving a group of hackers who stole an estimated $1 billion from banks in China, Europe, England, Japan, the United States and 25 other countries.
The attackers, referred to as the ‘Carbanak Gang’, were a multinational group made up of individuals from Europe, Russia, Ukraine and China. They installed their hacking software by gaining control of an employee’s computer using a technique known as ‘spearfishing’. This involves sending an email that appears to be from a person the target knows, making them more likely to open the message and access the infected attachment or link.
The syndicate infected more than 100 financial institutions around the world to execute their thefts, according to The Telegraph. Software deployed by the gang was so advanced that it enabled the thieves to access internal video feeds that monitored office spaces thought to be secure. Their surveillance activities provided the gang with the data they needed in order to impersonate bank personnel and transfer the money into dummy accounts.
The Tao of Damage Control
Looking forward, the financial services industry must be vigilante in the face of increasingly hostile cyber threats. The hacking risk has reached critical mass to the extent that leading cybersecurity experts openly admit that cyber breaches are inevitable. And if it’s impossible to keep the villains out of company networks, organizations must prioritize remediation and response capacities in their counter-cyber arsenals. The most realistic and cost-effective strategy for firms is to identify the breach quickly, respond immediately and contain the unpreventable.