Top cyberthreat to U.S. banks may stem from attacks on Ukrainian targets

As the U.S. imposes economic sanctions against Russia, cybersecurity firms and federal officials are advising American banks to shore up their cyberdefenses but also saying that state-sponsored attacks don’t appear to be imminent.

With Russian troops advancing on Kyiv, American officials warned this week that the bigger threat for U.S. banks currently appears to be cyberattacks on Ukrainian banks, which could have ripple effects outside of that country.

Last week, the U.S. attributed to Russia a denial of service attack that overwhelmed Ukrainian websites two days earlier. The attack — the largest in the country’s history — hit three of the country’s banks, including its two largest, as well as divisions of the Ukrainian government. A second round of attacks followed this week.

A policeman stood outside a fire-damaged building Friday following a blast during Russian artillery strikes in Kyiv, Ukraine.
Bloomberg

Separately, Reuters reported Thursday that a data-wiping attack — which is designed to permanently destroy data — had infected a Ukrainian government agency and a Ukrainian financial institution. The latter incident was similar to an attack in 2017 that Russia unleashed on Ukraine’s financial services industry, but which eventually spread worldwide.

Such data-wiping attacks are resurging, according to Matt Radolec, a senior director at the cybersecurity firm Varonis, where he works on incident response forensics and investigates new threats.

“There are victims to this destructive malware already,” Radolec said.

In a data-wiping attack, cyber criminals gain access to an entity’s data and may use the threat of permanently erasing it to extort a payout. Other times, they simply delete the data wholesale.

Hackers are also launching more prominent ransomware attacks, and some evidence suggests those attacks are tied to state-sponsored organizations in Russia, Radolec said.

The U.S. and Russia had long shared information to thwart cybercriminals and unmask them, but experts said that those ties will likely be severed as a result of Russia’s invasion of Ukraine.

Radolec said that his company’s caseloads contain evidence that cybercriminals are using the war as a prime opportunity to strike.

“Their goal is disrupting the American way of life,” Radolec said. “Financial institutions, while hardened, are targets because they represent American prosperity.”

The White House provided its own cybersecurity guidance last week.

“While there are currently no specific or credible cyberthreats to the homeland, the U.S. government has been preparing for potential geopolitical contingencies since before Thanksgiving,” Anne Neuberger, deputy national security advisor for cyber and emerging technology, said on Feb. 18.

On Feb. 16, officials from the Treasury Department, the FBI and the federal Cybersecurity and Infrastructure Security Agency met with the CEOs of several large and midsize U.S. banks to discuss cyberthreats, according to a readout from the meeting.

A Treasury spokesperson declined to comment on whether the meeting’s participants specifically discussed heightened risks of cyberattacks on U.S. banks as a result of the Russia-Ukraine conflict.

So far, cyberattacks on financial institutions have primarily impacted Ukraine, said Adam Meyers, senior vice president of intelligence for cybersecurity firm Crowdstrike.

He described three categories of potential attacks: First, Russian cyberattacks targeting Ukraine, which he said are “highly likely if not ongoing.”

Second are Russian attacks on Western entities. While Meyers said that such attacks are currently unlikely, he noted that the sanctions announced Thursday by the European Union and the United States “could change that calculus.”

The third category that Meyers identified involves the potential for “collateral impact” on U.S. banks as a result of Russian attacks on Ukrainian banks. The concern is that self-propagating malware could move beyond Ukraine if such an attack were unconstrained in its targets.

One such unconstrained attack was NotPetya, which in June 2017 spread throughout Ukraine via a system used to update tax and accounting software products. The self-replicating malware, which Ukraine and the U.S. attributed to Russia, spread far beyond its original targets.

For reprint and licensing requests for this article, click here.
Industry News Cyber security Cyber attacks
MORE FROM AMERICAN BANKER