Back in 2011, a group of Iranian hackers launched a series of distributed denial-of-service (DDoS) attacks against nearly 50 U.S financial institutions. The attacks were alarming enough, disabling bank websites and preventing customers from accessing their online accounts. However, the situation became even more troubling when it was revealed that these attacks were sponsored and directed by the Iranian government.
Since then, nation-state cyberattacks have remained a top concern for cybersecurity professionals. Countries like Russia, China, and North Korea have joined Iran in being held responsible for these advanced persistent threats, commonly referred to as APTs. In a PaymentsJournal podcast, Stephanie Schneider, Cyber Threat Intelligence Analyst at LastPass, spoke with Tracy Kitten, Director of Fraud and Security at Javelin Strategy & Research, about what financial institutions can do to combat these threats from rogue nations.
The Big Four
The four nations carrying out these attacks are playing the long game. They’re patient, developing tools and tactics to achieve their objections, and essentially have an open checkbook to fund their operations. They’re also good at remaining undetected for as long as possible, allowing them to continuously siphon information or maintain access for future operations.
Understanding these nations’ geopolitical context and their distinct motivations for engaging in cyberattacks is key.
The Chinese government, for example, conducts cyber activities to advance their national interests and economic position. They’re interested in obtaining intellectual property and data from private and public sectors to position themselves as an economic powerhouse. By actively infiltrating Western critical infrastructure, they’ve aimed to establish persistent access for potential disruption during future conflicts.
The Russian government enables broad-scope cyber espionage to suppress certain sociopolitical activity, such as in their ongoing war in Ukraine. Their focus is on stealing valuable information related to active conflicts to position themselves as a great power, rivaling the West and the U.S.
North Korea aims to collect intelligence, conduct disruptive attacks, and generate revenue. They continue to seek ways to get around their heavy economic sanctions to fund their weapons program.
Finally, the Iranian government has exercised increasingly sophisticated cyber capabilities to suppress sociopolitical activity. They also see themselves in competition with the West, specifically the U.S. Interestingly, Iran has also started to conduct more financially motivated attacks, like ransomware. Like North Korea, Iran is under tight sanctions and needs to generate revenue. But they’re also interested in creating chaos and disrupting their adversaries’ incident responses, as the 2011 attacks demonstrated.
“Iran’s attacks were a big wakeup call,” said Kitten. “That catapulted information-sharing among financial institutions. That helped to cement the fact that we need to be sharing threat intelligence and looking for indicators of compromise.”
The Nature of the Threat
There are three basic types of threats at play here. The first is monetary attacks, particularly as several of these countries seek ways to bypass restrictive sanctions. As a result, they’re targeting banks and trying to steal cryptocurrencies. Financial espionage also provides an avenue for gaining political leverage.
“Think about the sensitive personal information that a bank has access to,” said Schneider. “They’re trying to erode customer trust in critical infrastructure, things that regular citizens depend on. If they can shake that trust, that can also be beneficial for them.”
Then there’s the idea of hybrid or unrestricted warfare. There is an increasing number of attacks on critical infrastructure, including not just financial institutions but also sectors like energy and water. These attacks are designed to disrupt operations, incite panic, and spread misinformation in the background of ongoing conflicts.
Security professionals are growing more concerned about the idea of collaboration between these nation-states. Different techniques are being used by China, for example, as opposed to Russia. If Russia collaborates with China, it could become challenging to determine whether a cybercrime is being perpetrated by Russia or China.
“In the coming year, the discussions around threat intel—and especially around attributing indicators of compromise to specific threat actors—is going to become critically important,” said Schneider.
Tools of the Trade
Nation-states are continuing to invest and develop their tools to be harder to detect and defend against. They tend to use large language models (LLM) like ChatGPT in their cyber operations as support for their campaigns rather than using these tools to develop novel techniques.
But for the most part, they’re turning to the easiest way in, which tends to be social engineering and phishing. Humans remain the weakest link in security.
“We’ve seen time and time again these Russian APT groups using watering holes and conducting social engineering to get folks to click on links,” said Schneider. “It’s really basic stuff, but it’s effective.”
Criminals have also been creating synthetic identities, using them to set up bogus accounts and carry out attacks against financial institutions.
“The APT groups purchase bits and pieces of PII [Personally Identifiable Information] from multiple sources and then create a new identity,” said Kitten. “That’s been challenging for financial institutions to detect and track.”
Technology is moving toward creating realistic deepfakes specifically designed for fraud and account takeover attacks. As the financial sector uses more voice verification, someone could take voice samples of an individual and create a deepfake call powered by an LLM that’s been trained by using stolen credentials, biographical, or personal information from that individual. The result is that voice-authenticated AI could respond to challenge questions based on that stolen data in real-time.
Taking Protection
What should organizations do to protect themselves from these threats? The first step is practicing good cyber hygiene.
“APTs have access to advanced tools and resources, but they will use the easiest method available so that they don’t burn those novel tools,” said Schneider. “Using a password manager, creating long complex passwords for each account, making sure that your systems are up to date—those types of things are really simple, but really important to get right.”
The entire organization should buy in to these efforts, from the CEO down, to provide investments in solutions that can be used across departments. Employee training and awareness is crucial to protecting against things like social engineering threats.
About half of the population is now using pass keys to mitigate cyber threats, according to some reporting. These allow users to log into a site or device by using something like a fingerprint or PIN. Pass keys have the advantage of being phishing-resistant, reducing the human element, and they cannot be shared.
Finally, organizations should consider setting up an advanced threat detection program, including threat intelligence.
“I would encourage financial institutions, especially smaller ones, to ensure that they’re working with third-party vendors who are trusted, experienced partners,” said Kitten. “Make sure they’re asking the right questions and thinking five years out about what this solution is going to look like.”
Schneider added: “If we’re aware of who is interested in targeting us, and staying up to date on the latest tactics, techniques and indicators of compromise, we will be in a much better position to defend against those threats.”
