Quantum Dawn: How financial institutions are wargaming cyberattacks

It’s the nightmare that makes financial institutions’ chief information security officers wake up in cold sweats – a coordinated ransomware attack that brings down the entire global financial system.

That was the scenario gamed out at the Securities Industry and Financial Markets Association’s (SIFMA) Quantum Dawn VI exercise last November. Some 240 public and private institutions from 20 different countries attended, including commercial banks, central banks, regulators, and law enforcement agencies.

It’s a huge increase from the 50 organizations that took part in the first exercise back in 2011, which gamed out how financial institutions would respond to a cyberattack that coincided with armed attackers trying to force their way into the New York Stock Exchange.

During the November ransomware exercise, participants sat in their own locations and used real-world communications systems, such as email and phone, to coordinate their responses to the mock attack.

“They try to make the simulation as real as possible,” says Gerald Glombicki, an analyst at credit rating agency Fitch Ratings.

Cross-industry collaboration

The need for cross-industry collaboration on cyber risk has become ever more urgent over the past decade. Historically, banks and other financial institutions may have been reluctant to share details about their cybersecurity systems and strategies because it was seen as a potential competitive advantage. Now, they recognize that there is no point in having the best cyber defenses if the rest of the financial system collapses around you.

“If you think about one of the large, commercial consumer banks going down and people not being able to access their funds, the disruption and economic trauma that would follow from that is so impactful, both to individual nation states and also more globally, that it is important that the industry is pulling together in a coordinated way,” says Kelly Hagedorn, a partner at law firm Orrick. “It is not possible to view any given institution in isolation.”

While coordinated cross-industry cyber response simulations can help institutions to learn more about their systems and their weaknesses, they can also help banks to prepare ways to communicate with each other if there is a communications blackout.

“If Bank A is attacked, Bank B needs to know – but how do they coordinate if Bank A’s phones and emails are down?” says Glombicki. “If Bank B suddenly gets a random email or text message claiming to be someone from Bank A, how do they know it’s true? That might look like it could be a social engineering attack, so perhaps they ignore it. That’s why it is important to have back-channel communications set up in advance because then if they receive a message like that, they know it is a legitimate cyber incident.”

“You obviously have to be very careful as a commercial enterprise talking to your competitors about things that might give them a competitive advantage. But if you’re working with your regulators… to improve the system as a whole, that doesn’t contravene any antitrust or competition laws.”
Gerald Glombicki, analyst, Fitch Ratings

Regulatory involvement is also essential to cross-industry collaboration on cybersecurity to avoid any potential legal issues related to anti-competitive practices, says Hagedorn. “You obviously have to be very careful as a commercial enterprise talking to your competitors about things that might give them a competitive advantage,” she said. “But if you’re working with your regulators, and your regulators are imposing X, Y, and Z on you as a way to improve the system as a whole, that doesn’t contravene any antitrust or competition laws.”

As well as the changing nature of cybersecurity collaboration, risks have also evolved significantly over the past decade. What originally was mainly cyberattacks directed at customers, such as phishing scams, are now accompanied by more targeted and prolonged attacks against financial institutions that aim to disrupt their operations, says Fabio Assolini, a senior security researcher at cybersecurity firm Kaspersky.

Ransomware attacks have also become more prevalent and evolved from a single ransom, when a business has to pay to regain control of its data, to double and triple extortion efforts in which hackers threaten to disseminate stolen data and then seek ransoms from individuals whose data has been compromised, says Glombicki.

Cyber criminals are also increasingly targeting banks in other ways, such as through ATMs and point of sale systems. A pair of malware viruses known as Tyupkin and Ploutus, for example, allowed cyber criminals to empty cash machines using just a keyboard and an activation code as far back as 2014.

“Tyupkin and Ploutus were both a watershed, showing how easy it is to infect an ATM and jackpot it,” says Assolini.

A new philosophy on risks

The sheer volume of threats means financial institutions have been forced to change their philosophy around managing cyber risk.

“It used to be more what I call the castle and moat theory – we have a castle and we’re just going to build a moat around it,” says Glombicki. “Then it became we’re going to build a bigger and deeper moat. But now it’s transitioned to an assumption that there has been a breach and that things are bad, so how do we isolate it and how do we try to minimize the blast radius.”

Those threats are coming from a range of perpetrators, from lone hackers working from their parents’ basements to organized criminal gangs and nation states. The Lazarus Group, for example, is a North Korean state-sponsored cyber gang that rose to prominence in 2016 when it almost pulled off a near-$1bn cyber heist from Bangladesh Bank using the SWIFT messaging system.

Cyberattacks are also becoming increasingly global in nature.

“Nowadays a coder living in Asia can create a new hacking tool, which will be used by a Latin American cybercriminal to attack a bank on US soil. The cybercrime landscape is well connected.”
Fabio Assolini, senior security researcher, Kaspersky

“One of the most common cybersecurity mistakes is to focus on one area of the world,” says Assolini. “Nowadays a coder living in Asia can create a new hacking tool, which will be used by a Latin American cybercriminal to attack a bank on US soil. The cybercrime landscape is well connected, sharing tools and techniques worldwide. It’s very common to see an attack starting in one area of the world and spreading geographically later on, to target other victims.”

Cybercriminal gangs in Eastern Europe and Latin America in particular are known to offer their services to anyone willing to pay, says Assolini.

In March, US president Joe Biden warned Western organizations to be extra vigilant for increased cyberattacks from Russia as the country retaliates against sanctions imposed following its invasion of Ukraine. Yet for financial institutions, such warnings should make little difference to their cybersecurity preparedness.

However, according to the Wall Street Journal, Steve Silberstein, the chief executive of the non-profit Financial Services Information Sharing and Analysis Center (FS-ISAC), told the House Homeland Security Committee in April that financial institutions hadn’t at that point seen a marked increase in cyberattacks from Russian sources since the start of the conflict in Ukraine. “Outside of the conflict zone, we are not seeing any significant uptick in attacks attributable to any specific geography or threat actor,” he says.

He told the Congressional hearing that the FS-ISAC’s threat level was at “elevated”, meaning that banks and other financial firms were taking extra security measures due to the geopolitical climate.

The cybersecurity playbook

“Banks should be doing this every day – they should always be on high alert,” says Glombicki. “It’s not that they increase security because something is happening and at other times they will lower their defenses, that’s not how cybersecurity works. The fact that there’s geopolitical tension, that should already be factored into your baseline cyber assumption so your playbook should not change. If it does, that means you’re a little bit behind in your cyber maturity.”

That playbook should also be the same no matter who is trying to hack into their systems.

“It doesn’t matter whether it’s Russia, China, North Korea, or, indeed, Mr. Cybercriminal two doors down from me in South London – you still don’t want them in your system,” says Hagedorn. “They might have different objectives if they get into the system, but you’re still essentially operating in the same way to try to keep them out.”

SIFMA’s recommendations to the financial services sector after the Quantum Dawn VI exercise were:

Make critical investments in capabilities: Institutions should continue to invest in robust ransomware recovery and cyber, business continuity and information technology incident response plans and strengthen these plans based on frequent exercises and tests;
Create alternate communication channels for worst-case scenarios: In the event a regulatory authority is impacted by a ransomware event and goes offline, firms should have processes in place to use alternate communications channels;
Beware, ransom payments may not lead to data recovery: SIFMA does not recommend paying a ransom. Executives need to carefully consider the realities of taking such actions, including the possibility that they still may not recover stolen data;
Join the global directory of critical stakeholders: Financial firms are strongly encouraged to join SIFMA’s Global Directory of critical stakeholders. This directory was created to identify critical public and private sector organizations and key contacts that play a role in crisis management and global information sharing.
Follow best practices:
- Validate that critical infrastructure assets are not exposed to the public internet;
- Institute controls such as self-service password management requiring a second factor to avoid being socially engineered;
- Require multi-factor authentication everywhere;
- Deploy modern-day Identity Governance and Administration systems to detect backdoor accounts;
- Use a privileged account management system to check in-and-out access to accounts or deploy even more advanced defenses for critical admin-level accounts;
- Isolate and disconnect infected machines immediately;
- Develop proactive threat hunting capabilities.

Topics

Latest News

ASIC roundup: TPD insurance claims failures, and A$187,800 penalty for not lodging reports

Gensler speech offers a look back at 2024 rulemaking

PCAOB spotlight on auditor responsibilities in making comms about illegal acts

Topics

Latest News

'Crisis era regulation has gone too far': Rachel Reeves doubles down on regulatory reform

FCA to publish new update on name and shame plans next week

Acting SEC directors reflect on an unprecedented year

Topics

Latest News

Crypto wrap: Bitcoin value surges, jail for former binance boss, and more

Boston Consulting report pinpoints businesses adding value with AI

Crypto takes joy in Trump victory, with forecasts of $10 trillion global market

Topics

Latest News

GRIP Extra: Cash app Dave in regulatory cross-hairs, Shell wins appeal

GRIP Extra: Predictions of deregulation in US, corporate culture problems in Australia

How to get the most from our new look