Cyberattack against Santander shines a spotlight on supply chain breaches

BBVA SA, Banco Santander SA and Caixabank SA Branches Ahead of Earnings
Criminals breached a third-party database storing Santander customer and employee information, a type of intrusion that is increasingly concerning banks.
Paul Hanna/Bloomberg

Last week, global bank Santander reported that a cyberattack had breached customer and employee data in Spain, Chile and Uruguay. The attackers stole the data from a database hosted by a third party, meaning the bank's own operations and systems were not affected. The compromised data did not include transaction data or credentials that would allow the criminals to perform transactions. 

Santander has not disclosed the number of customers and employees affected. Data in other countries were not affected, the bank said.

This is the latest example of an IT supply chain attack against a bank, in which hackers break in through a technology provider rather than the bank's own systems. In February, Bank of America also suffered a supply chain attack in which attackers accessed the names, addresses, dates of birth, Social Security numbers, and other account information of 57,028 deferred compensation customers. In that case, financial software provider Infosys McCamish had its system compromised rather than Bank of America.

These kinds of attacks have gained greater attention from prudential regulators, who have looked to hold banks responsible for auditing their IT suppliers for adequate cybersecurity practices. At a conference in January, the Federal Reserve's vice chair for supervision, Michael Barr, said there have historically been "gaps" in banks' efforts to manage their third-party cyber risk — gaps that he expects banks to close.

"Reliance by banks on third-party service providers has grown considerably in recent years, and with that reliance comes the potential for greater cyber risk," Barr said. "It is ultimately the responsibility of banks to manage their third-party risk, and we have historically seen gaps in this regard."

This month, cyberattacks against IT supply chains and third-party vendors were a key subject of discussion at the RSA conference. A panel of payment company executives said during during a panel discussion that consolidation in the cloud computing industry has made providers such as Amazon Web Services, Microsoft Azure, and Google Cloud unresponsive to attempts even by large banks to hold the companies responsible for adequate cybersecurity practices.

During another session, a panel of cybersecurity attorneys discussed lessons from recent supply chain attacks. One of the key takeaways from one such attack against Progress Software's MoveIt product, a file transfer service, was the importance of writing contracts with IT suppliers such that they are required to respond in the case of a cyberattack.

Thousands of organizations, including at least 60 banks, had data compromised in the MoveIt breaches. Progress Software became so inundated with inquiries from victims during the fallout that the company could not keep up with the requests, according to Jennifer Burnside, a practice leader of crisis communications at Google-owned cybersecurity firm Mandiant.

"In many cases, they didn't have an obligation in contract to respond," Burnside said. "As they could get information, they did respond, but it wasn't a requirement."

Another example discussed by the panelists was a state-backed cyberattack by Chinese hackers against the popular email security appliance company Barracuda. Barracuda shared information generously, providing public information on how to detect and prevent such attacks in the future, according to Erin Joe, cybersecurity executive in the office of the CISO at Google Cloud.

One facet of the Barracuda attack that Joe highlighted was the adversary's use of three malware packages that masqueraded as legitimate software. Joe said in other cases, attackers use tactics called "living off the land," which refers to attacks that do not involve installing software but rather using the tools already present in an environment. One example of such a tool is PowerShell, which is a command line and scripting language for Windows.

Another noteworthy facet of the Barracuda attack was the method the attackers used to exfiltrate the data they stole — i.e. the method they used to transfer data out of victims' systems and onto the attacker's systems. Joe said in this case, the attackers created large temporary files in the process of staging the exfiltration — the kind of red flag that she said endpoint detection software is supposed to detect.

A third facet of the attack that Joe highlighted involved how the attackers and responders interacted. "Incident response is no longer a game of cat and mouse," she said. "It's a game of chess."

In the Barracuda attack, threat actors were able to watch what incident responders acting on behalf of victims were doing to try to staunch the attack. Attackers often reacted directly to what the incident responders did, Joe said, by changing their tactics or deleting and destroying information that would be critical for incident responders.

Joe said this means incident response teams need to re-examine what they are doing in their response and recovery processes, "because the threat actors have done that." An example in this case was that, as vendors installed updated software to patch the bugs in Barracuda that made the attacks possible, the attackers maintained malware on the systems because they had installed backdoors to ensure they maintained access even after victims patched the bugs.

Lastly, Joe said that many victims in the Barracuda attacks learned that they had been compromised only after the attackers posted the victims' data on victim-shaming websites, even though the attackers attempted to reach out to the victims directly after they stole the data. In other cases, attackers eventually stopped trying to reach out to each victim individually because there were too many of them, and instead posted the list of victims on their victim-shaming site.

"You need to be monitoring sites," Joe said. "We talk a lot about telling you to monitor sites for data that's been disclosed so that you're aware of it, but here, you're monitoring for a warning that you've been compromised and you don't know it yet."

For reprint and licensing requests for this article, click here.
Cyber security Data security Vendor management Technology
MORE FROM AMERICAN BANKER