The Top Threat Actors Targeting Financial Services Organizations

“If you know the enemy and know yourself, you need not fear the result of a hundred battles." This is quote from Sun Tzu's famous book, The Art of War. To defeat your enemy, you must know your enemy, and the same goes for the world of cyber security. The financial services industry is the most-attacked industry by cybercrime groups. These groups have varying capabilities, TTP’s (Tools, Techniques & Procedures), modus operandi and more. When attacking the financial sector, they focus on fraud, burglarizing ATMs, executing transactions through the SWIFT systems and penetrating intranets of financial organizations through the use of banking malware.

Knowing your cyber-adversaries can help you more effectively defend against their attacks. This post discusses the key motivations and supporters behind cybercrime groups, and lists the top groups that target financial services organizations.

Cybercrime Motivations

Every attack starts with a motive, and understanding your attacker's motive can help you strategically defend yourself. Some hackers hack for financial profit or for information that is worth money. Some hack to satisfy their egos or gain peer recognition. Some hack alone, and some hack in groups. But many hackers, or more accurately “hacktivists,” join groups like Anonymous in order to demonstrate their dissatisfaction with powerful organizations, such as corporations and governments who fail to share their world views. These hackers don’t consider themselves to be bad actors. They see their activity in a positive light, viewing themselves as contributors to a greater body of knowledge, and often hacking without a clear vision of the second-order effects of their actions.

Nation-State Attackers

Another category of hacker supports nation-state strategy by operating in the cyber domain. These hackers are difficult to categorize, since they may be directly employed by an arm of a national government or may be from an organized crime entity employed by a national government. Think of recent hacks like JP Morgan Chase, which was attributed to an undefined group in Russia. Understanding the motivation of hackers and the organizations whom they are associated with is essential to understanding their tactics.

Knowing one’s enemy is a fundamental concept in kinetic warfare and is equally important, albeit more difficult, in the cyber environment.

It is valuable to explore nation-state, and nation-state-sponsored APTs, because they generally have deep resources and their collective motivations run across the spectrum. Because nation-state APTs are funded extremely well relative to small groups and individuals, they can be particularly formidable adversaries for other countries and for commercial industries, regardless of vertical. In short, nefarious nation-state-sponsored cyber activity can have devastating effects on a country’s national security and its economy. All nation-state groups are not created equal, and like individual hackers, each has a different motivation and level of cyber capability. As we look at the cyber terrain from a global perspective, we see several countries that surface in the media most often: China, North Korea, Russia, Iran and the US.

Top Cybercrime Groups Targeting Financial Organizations

Money Taker
  • Country: Russia
  • Threat Level: High
  • Level of Sophistication: High, the group is known for their self-developed attacking tools, customization of public tools for their needs, tools for erasing footprints, and malware that will run even after rebooting.
  • Countries of Operation: Worldwide
  • Typical Targets: Banks, financial services companies, supply chain (companies providing services and/or technology to financial companies)
  • Attacking Tools
    • MoneyTaker – for altering the details of accounts that are about to receive a money transfer
    • Metasploit and powershell – for hacking, gaining control and stealing authorizations
    • Screenshotter / Keyloggers – for recording keystrokes and screenshots
    • LogmeIn Hamachi, UltraVNC, Plink and NirCmd – for gaining remote control and executing orders. The latter tool also enables deleting values and keys from the registry, establishes communications with a VPN, alters files, alters computer definitions, etc.
    • ASLRSideChannelattack – for stealing highly classified authorizations
    • Mimikatz – for stealing identification details (usernames and passwords)
    • PsExec–forrunningprocesseslocallythroughRDP/SMB/RPCprotocols
    • Banking Trojans – Citadel and Kronos
  • Attributed Campaigns: More than 20 successful attacks on banks, financial institutions and law firms in the USA, UK, and Russia.
  • Also Known As: Annaunak, Anunak, Carbon Spider, FIN7, Navigator, TelePort Crew, Calcium
  • Country: Russia
  • Threat Level: High
  • Level of Sophistication: High, the group is considered to have a sub-state capability. The types of malware that the group uses provide a wide range of possibilities, including threat of authorizations, disabling AV tools, threat of credit cards details and personal information, seizing control over R&D and more.
  • Countries of Operation: USA, Germany, Eastern Europe, Ukraine, China, Malaysia, Kuwait and West Africa
  • Typical Targets: Banks, financial services companies and e-commerce / retail corporations
  • Attacking Tools
    • Carbanak – self-developed backdoor
    • Designated malware, such as Zeus
    • Backdoor of the Anunak group signed by a Comodo SSL certification
    • VBScript land PowerShell script files
    • Metasploit, PsExec, Mimikatz, FreeRDP, NCat, NPing
    • NetScan, Backdoor Batel
    • MBR Rraser – for erasing footprints
    • Soft Perfect Network Scanner – for Lan Scans
    • SSHD backdoor – for stealing passwords and gaining remote access
    • Ammyy admin remote administration tool and team viewer – for gaining remote access
    • Andromeda – botnet for lateral infection
    • Bateleur – for stealing financial information
  • Attributed Campaigns: More than 300 successful attacks on banks, financial institutions and retailers. In addition, the attack on Oracle systems and the company support portal.
  • Also Known As: MetaStrike
  • Country: Russia
  • Threat Level: High
  • Level of Sophistication: High, sub-state capabilities, including detection and exploitation of vulnerabilities, and ongoing updating of the systems and targets they attack.
  • Countries of Operation: Europe, Russia, Ukraine, Thailand and Taiwan
  • Typical Targets: Banks
  • Attacking Tools
    • Buhtrap worm
    • Cobalt strike and Metasploit
    • Mimikatz
    • LightManager tool for enabling remote access to computers
    • Team viewer
    • Guide – legitimate document creation software that enables hackers to install and load their main module
    • SDelete – tool for irretrievable file deletions
  • Attributed Campaigns
    • Theft of $9.7 M from the Russian MetakkinvestBank
    • ATM’s theft of $2.18 M from Taiwan banks
    • SWIFT attack on Russian banks
    • More than 200 other attacks on banks in Europe, Thailand, Turkey and Taiwan
Lazarus Group
  • Also Known As: DarkSeoul, Silent Chollima, Hastati Group, Bureau 121, Unit 121, NewRomanic Cyber Army Team, Hidden Cobra
  • Country: North Korea
  • Threat Level: High
  • Level of Sophistication: High, the group has powerful capabilities, independently developed tools, leverages commercial tools, sophisticated modus operandi, capabilities evading cyber defense systems, three-tiered attack servers and encrypted communications.
  • Countries of Operation: Worldwide
  • Typical Targets: Banks, financial organizations and governments
  • Attacking Tools
    • Banswift – Malware used to steal information
    • Solarbot – botnet used to steal personal details from online forms
    • Ratankba / QuickRide – tool for collecting information from a computer, it also can download and upload executable files
    • Enigma Protector – tool used to protect executable files
    • SilverLight – tool used to exploit vulnerabilities in Flash
    • Recon – scanning tool used to identify systems of interest
  • Attributed Campaigns
    • The attack on sony Pictures
    • WannaCry ransomware attack on multiple organizations around the world • Theft of $12 M from Banco del Austro in Ecuador
    • Theft of $1 M from Tien Phong Bank in Vietnam – SWIFT attack
    • Theft of $81 M from the Central Bank of Bangladesh
    • Theft of $60 M from FEIB Bank in Taiwan
    • Theft of $5 M from various banks in Nepal

Conclusion & Further Reading

We hope this information helps you familiarize yourself with some of the key threat actors that may be targeting your organization. As we've mentioned above, knowing your adversary and their motivations can help you make the right strategic investments around tools and process to effectively defend yourself.

To read further on threat actors and key trends facing the financial services industry, you can download our industry report.

Download Now

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.