The Top Threat Actors Targeting Financial Services Organizations

Last updated at Mon, 13 Feb 2023 15:25:21 GMT

“If you know the enemy and know yourself, you need not fear the result of a hundred battles." This is a quote from Sun Tzu's famous book, The Art of War. To defeat your enemy, you must know your enemy, and the same goes for the world of cybersecurity. The financial services industry is one of the most-attacked industries by cybercrime groups. These groups have varying capabilities, TTPs (tools, techniques, and procedures), modus operandi, and more. When attacking the financial sector, they focus on fraud, burglarizing ATMs, executing transactions through the SWIFT systems, and penetrating intranets of financial organizations through the use of banking malware.

Knowing your cyber adversaries can help you more effectively defend against their attacks. This post discusses the key motivations and supporters behind cybercrime groups and lists the top groups that target financial services organizations.

Cybercrime motivations

Every attack starts with a motive, and understanding your attacker's motive can help you strategically defend yourself.

Some hackers hack for financial profit or for information that is worth money. Some hack to satisfy their egos or gain peer recognition. Some hack alone, and some hack in groups. Many hackers, or more accurately “hacktivists,” join groups like Anonymous in order to demonstrate their dissatisfaction with powerful organizations, such as corporations and governments who fail to share their world views. These hackers don’t consider themselves to be bad actors. They see their activity in a positive light, viewing themselves as contributors to a greater body of knowledge and often hacking without a clear vision of the second-order effects of their actions.

Another category of hacker supports nation-state strategy by operating in the cyber domain. These hackers are difficult to categorize, since they may be directly employed by an arm of a national government or may be from an organized crime entity employed by a national government. Think of recent hacks like JP Morgan Chase, which was attributed to an undefined group in Russia. Understanding the motivation of hackers and the organizations whom they are associated with is essential to understanding their tactics.

It is valuable to explore nation-state and nation-state-sponsored APTs, because they generally have deep resources and their collective motivations run across the spectrum. Because nation-state APTs are funded extremely well relative to small groups and individuals, they can be particularly formidable adversaries for other countries and for commercial industries, regardless of vertical.

Nefarious nation-state-sponsored cyber activity can have devastating effects on a country’s national security and its economy. All nation-state groups are not created equal, and like individual hackers, each has a different motivation and level of cyber capability. As we look at the cyber terrain from a global perspective, we see several countries that surface in the media most often: China, North Korea, Russia, Iran, and the United States.

Top cybercrime groups targeting financial organizations

Money Taker

Country: Russia

Threat Level: High

Level of Sophistication: High; the group is known for their self-developed attacking tools, customization of public tools for their needs, tools for erasing footprints, and malware that will run even after rebooting.

Area of Operation: Worldwide

Typical Targets: Banks, financial services companies, supply chain (companies providing services and/or technology to financial companies)

Attributed Campaigns: More than 20 successful attacks on banks, financial institutions, and law firms in the USA, UK, and Russia

Carbanak

Also Known As: Annaunak, Anunak, Carbon Spider, FIN7, Navigator, TelePort Crew, Calcium

Country: Russia

Threat Level: High

Level of Sophistication: High; the group is considered to have a sub-state capability. The types of malware that the group uses provide a wide range of possibilities, including threat of authorizations, disabling AV tools, threat of credit card details and personal information, seizing control over R&D and more.

Areas of Operation: United States, Germany, Eastern Europe, Ukraine, China, Malaysia, Kuwait, and West Africa

Typical Targets: Banks, financial services companies, and e-commerce / retail corporations

Attributed Campaigns: More than 300 successful attacks on banks, financial institutions, and retailers. In addition, the attack on Oracle systems and the company support portal.

Cobalt

Also Known As: MetaStrike

Country: Russia

Threat Level: High

Level of Sophistication: High; sub-state capabilities, including detection and exploitation of vulnerabilities, and ongoing updating of the systems and targets they attack

Countries of Operation: Europe, Russia, Ukraine, Thailand, and Taiwan

Typical Targets: Banks

Attributed Campaigns: Theft of $9.7 M from the Russian MetallinvestBank, theft of $2.18 M from Taiwan banks, SWIFT attack on Russian banks; more than 200 other attacks on banks in Europe, Thailand, Turkey, and Taiwan

Lazarus Group

Also Known As: DarkSeoul, Silent Chollima, Hastati Group, Bureau 121, Unit 121, NewRomanic Cyber Army Team, Hidden Cobra

Country: North Korea

Threat Level: High

Level of Sophistication: High; the group has powerful capabilities, independently developed tools, leverages commercial tools, sophisticated modus operandi, capabilities evading cyber defense systems, three-tiered attack servers and encrypted communications.

Countries of Operation: Worldwide

Typical Targets: Banks, financial organizations, and governments

Attributed Campaigns: The attack on Sony Pictures, WannaCry ransomware attack on multiple organizations around the world, theft of $12 M from Banco del Austro in Ecuador, theft of $1 M from Tien Phong Bank in Vietnam – SWIFT attack, theft of $81 M from the Central Bank of Bangladesh, theft of $60 M from FEIB Bank in Taiwan, theft of $5 M from various banks in Nepal.

Conclusion and further reading

We hope this information helps you familiarize yourself with some of the key threat actors that may be targeting your organization. As we've mentioned above, knowing your adversary and their motivations can help you make the right strategic investments around tools and processes to effectively defend yourself.
Learn how Rapid7 can help protect your organization against threats lurking on the clear, deep, and dark web.