Latest Cyber Attack on Banks: Critical Heist or Just Hype?

The premise almost seemed like something out of movie. A group of cybercriminals from Russia, Europe and China spend nearly two years methodically stealing up to $1 billion from banks on six continents via malware. The GDP of a small country was stolen without the donning of a ski mask or toting of a gun.

The New York Times' front-page story about the attacks, based on a new report from Russian security vendor Kaspersky Lab fingering a group known as the Carbanak cybergang, was bound to grab attention.

Pieces entitled "Bank Hackers Steal Millions via Malware" don't tend to go unnoticed, especially when they're on A1 of a newspaper with the second-largest circulation in the US. Other broadsheets followed suit.

Cyber Hype?
The story got to exactly what many have been growing concerned about over the years: banks' inability to protect their money from cybercriminals. Chris Doggett, managing director of Kaspersky's North America branch, went as far as comparing the sophistication of the attacks to that of the heist performed in "Ocean's Eleven," in the Times' piece.

"People may be looking at this in terms of the impact on US banks to be of varying degrees. I think it's significant in general, given the scope of the attack and given the tactics that have been used," Doggett tells Sell-Side Technology. "What we saw in terms of the attack method and tactics that were done here represent a step change in what attackers have been doing to get into banks."

The role of a CISO is to make sure they have adequate defenses and if there is a new threat or vulnerability to address it. If it's just hype or self-promotion, it's their job to spin it down and provide a degree of confidence that the executive management will trust them with their judgment that this is not something to worry about. They're probably doing a lot more of that today. - Bill Nelson, FS ISAC

But some familiar with the cyber landscape have brushed off the news, saying the event was neither as severe nor as unusual as the report would have its readers believe.

One of them is Bill Nelson, CEO of the Financial Services Information Sharing and Analysis Center (FS ISAC), a group comprised of over 5,000 financial firms that shares and analyzes cyberattacks. He claims the Kaspersky report is more a matter of hype than anything else.

"We call this case an advanced vendor threat (AVT) primarily because it's the vendor promoting their product. In reality, it's old news and we've known about it for months. The threat indicators were shared months ago," Nelson tells Sell-Side Technology.

Furthermore, no bank in the US or Western Europe has actually been affected, Nelson says. The attack was mostly targeting Russian banks.

Conflicting Views
On that point, Doggett has a different take. He argues information found on the attackers' servers indicates that at least three dozen US banks were targets of the attack. As for how many of those banks were successfully breached, Doggett declined to comment, citing non-disclosure agreements and ongoing investigations that Kaspersky does not want to interfere with.

Doggett did confirm at least one US bank was used as part of the cyberattack. He wouldn't say what role the bank played in the attacks or how it was utilized by the hackers, but says at a minimum it's proof that US banks were targeted.

Obviously, there is a big difference between targeting an institution and successfully breaking in. It's one thing to want to hack into a bank's system; it's another to actually be able to do it.

Still, Doggett says that while only "easy" targets might have been penetrated this time around, it's only a matter of time before the cybercriminals are able to improve their methods to break into a bigger bank. If one thing is taken away from the report, Doggett says, it's that the bar has been raised.

"Almost any organization, regardless of how high their security is, has to take notice and make some changes to what they're doing," Doggett says. "We can debate all day long what the probable impact to US banks was. But anybody who says that it's not significant to US banking industry is unfortunately, in my opinion, misinformed."

'Spin it Down'
Due to the attention the story has drawn, Nelson says firms' chief information security officers (CISOs) have likely been meeting with their executive management about the attack. According to Nelson, the message shouldn't drive at what to be concerned about, but rather what not to be concerned about.

While a CISO is stereotypically viewed as an officer responsible for bringing the board's attention to a possible threat, Nelson says this case highlights how that task goes both ways.

"The role of a CISO is to make sure they have adequate defenses and if there is a new threat or vulnerability to address it. If it's just hype or self-promotion, it's their job to spin it down and provide a degree of confidence that the executive management will trust them with their judgment that this is not something to worry about," he explains. "They're probably doing a lot more of that today."

Nelson says this latest story speaks to how attacks are often mishandled by the media, as well. It's common to see press reports that are inaccurate, especially when it comes to interpreting what an attack is. What was only a hacker scanning a firm looking for ways to get in is often incorrectly reported as a breach, Nelson says.

"Yes, some of these banks were scanned, but they successfully defeated it. They weren't breached and for me, it's not a story," Nelson argues. "I think part of this is recognizing when it is a story. Let's address it and make sure we're there together to detect, prevent and respond to make sure it doesn't happen again. On the other hand, if it's something that's already been addressed, the CISO has other big jobs to tend to."

The Bottom Line

• Banks are targeted by cybercriminals all the time—that's not exactly news. While Doggett does make a strong point about the breadth and sophistication of the attacks, it appears at this point that it wasn't very successful in the US. Think of it like a baseball player. It is one thing to hit .350 in Triple-A. It's another to do it in the major leagues. Take notice, certainly, but understand they're not quite there yet.