As tensions continue to mount in the Persian Gulf, bank security officials in the U.S. and elsewhere are keeping a wary eye on Iran, which has waged a series of cyberattacks against American business interests. And if you think that has nothing to do with the small-town bank on the corner, guess again.
It boils down to this: While others obsess about Iran restarting its nuclear program, cybercriminals under the nation’s banner have quietly waged war on the digital front, with financial institutions in the line of fire.
Armed with ‘wiper’ blades
Since 2011, Iran has directed cyberattacks against dozens of U.S. banks, causing millions of dollars in lost business, according to the Committee on Foreign Relations. More recently, Iranian hackers stole at least 31 terabytes of documents and data from U.S. academic institutions, businesses and government agencies, a theft that totaled $3.4 billion. Given the scale of Iran’s hard currency needs, it might seek help from other capable countries or criminal groups to conduct new attacks that evade sanctions.
The concern is so high that on June 22, the Department of Homeland Security issued a warning about Iranian hackers.
The department’s cybersecurity arm “is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies,” the statement said. Yes, the Iranian regime actors are out to steal data and money. But they’re also after much more through “wiper attacks.”
Wipers are a dangerous type of malware. Its names come straight from a Marvel Comics rogues gallery: Shamoon, Black Energy, Destover, ExPetr/Not Petya and Olympic Destroyer. What do these wipers want from your bank’s digital vaults? Nothing less than total annihilation.
“These efforts are often enabled through common tactics like spear phishing, password spraying and credential stuffing,” the DHS wrote. “What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.”
Financial industry leaders point to strong precedents for their concerns about Iranian cyberattacks.
Three years ago, a grand jury in the Southern District of New York indicted seven Iranian individuals on computer hacking charges related to their involvement in an extensive, 176-day campaign of distributed denial of service (DDoS) attacks against the financial sector, according to the U.S. Department of Justice. The indictment claims they worked for two Iran-based computer companies that performed work for the Iranian government and military.
The seven—all but two in their 20s, and sporting hacker nicknames such as “Nitr0jen26”—launched DDoS attacks against 46 victims, primarily in the U.S financial sector, between late 2011 and mid-2013, according to the DOJ. The attacks disabled bank websites, prevented customers from accessing their accounts online and collectively cost the victims tens of millions of dollars in remediation costs as they worked to neutralize and mitigate the attacks on their servers.
‘More interested in disabling our financial systems’
Increasingly, attackers aim to take down the larger financial services network as well as steal money, said R.J. Burney , a cybersecurity expert with SecureSet who has worked with the military, government agencies and Fortune 500 companies.
“Iran has a sophisticated cyberattack force that is constantly evolving,” Burney says. “Though it has previously impacted banks using distributed denial of service attacks, they are moving quickly to create malware designed to disrupt the financial sector in a more significant way. From current research we see indicators that they are less interested in stealing money and more interested in disabling our financial systems.”
Ofer Israeli, founder and CEO of Illusive Networks, notes that the typical financial industry cybersecurity response—in fact, a response repeated in the latest government warnings on Iran—involves patching systems and educating users to avoid phishing attempts, which will help remove the more obvious vulnerabilities.
But today’s attackers don’t limit themselves to known flaws, he notes.
They can strike with a low and slow, targeted attack that conquers firewall, segmentation, micro-segmentation and identity management controls, Israeli says. The information is all available on the endpoints, and the action surrounding it appears perfectly normal—thus anomaly detection becomes irrelevant.
“Each endpoint provides different opportunities,” he says, “and the attacker will consume this information to make accurate decisions.”
Deception is the best medicine
Rather than fumble through the same game of cat and mouse, many financial institutions have now deployed deception technology that allows defenders to turn the tables on the attacker.
This technology offers several advantages. It can:
find and remove credible information attackers use to survey the environment, escalate privileges, identify targets and execute lateral movement
map and remediate pathways an attacker might take to reach specific targets
Surround attackers with misinformation that destroys their ability to perform reconnaissance, make decisions and act
set decision traps in every direction, leaving attackers no choice but to instantly reveal themselves by their specific actions
provide defenders with forensic data and timelines gathered from the source location of the attack, at the earliest point in the attack cycle
allow defenders, if they so choose, to interact with the attacker in a controlled, research-focused environment.
“With deception,” Israeli said, “the defender in back in charge, and the tables are turned. One wrong move by the attacker, and the attack is thwarted before they can reach their tended targets.”
And if you’re an Iranian hacker, that’s very bad news—depressing enough, in fact, to suck all the Nitr0jens out of the room.
Howard Altmanoversees coverage of issues affecting troops and their families as managing editor of Military Times. He has won more than 50 journalism awards and his work has appeared in the New York Times, Daily Beast, Philadelphia magazine, the Philadelphia Inquirer, New York Observer, Newsday and the Tampa Bay Times.
In this month’s BAI Executive Report, we examine where things stand with fraud protection and how it can be done more efficiently and effectively, including looking at the role of both humans and technology in fraud prevention strategies. Download Now...
Compliance training and professional development courses that are efficient, effective and on-point. Give your people the latest industry-approved tools they need to improve performance, reduce operational risk and better serve your customers.