How banks can protect themselves from cyberattacks in light of the conflict in Ukraine

We live in an increasingly unstable world, a fact which has been exemplified by the unfolding of the Russian invasion in Ukraine. Unfortunately, nationalist tendencies can lead to heightened east versus west sentiments and increased attacks on all nationalities supporting Ukrainian sovereignty. What is unknown, however, is how Russian cybergangs will respond to an attack on a neighbouring country.

Economic sanctions from several nations and institutions have been imposed against Russia, the impact of which has been significant. Following the initial imposition of sanctions, the Russian stock market crashed, with the Moscow Stock Exchange remaining closed for almost a month. Further to that, the Russian ruble fell to record lows, with citizens rushing to collect cash from ATMs, after international credit card providers ceased to provide services to Russian banks.  

Economists estimate that the sanctions imposed on Russia, particularly in the context of economic recovery due to the ongoing recession caused by COVID-19, will set the Russian economy back around 30 years. The Central Bank of the Russian Federation stated that prior to the conflict, its reserves could cover 20 months’ worth of imports. Following the onset of the invasion, it is estimated that that figure has been halved, covering only about 10 months now. The Russian government will need money to fund its military and continue internal economic activities. These funds will need to be acquired through other means, should the economic sanctions continue in their effectiveness and remain in place for the foreseeable future. Thus, it can be expected that Russian attacks against banking, financial service and insurance institutions and providers will increase in the coming weeks and months. 

Cyberattacks, as the ones we saw against the Ukrainian government prior to the invasion, will increasingly be a part of joint military operations. In the same way that the world saw a preemptive cyberattack on the Ukrainian government, further sustained attacks should be anticipated against Ukraine and any other nations or institutions that are thought to interfere with Moscow’s agenda. This can be expected to take place on both sides of the conflict, with the hacking collective Anonymous declaring war against Russia and President Vladimir Putin.  In a statement outlining that though they are targeting the government, it is inevitable that the private sector will also be affected. Cyberattacks have also targeted Russian state authorities, including the Russian Federal Air Transport Agency, which was recently hacked, causing the loss of over 65 TB of data. As such, this will also have an impact on Russia’s strategy. 

Institutions need to be prepared and protected against such attacks. First and foremost, banks should get a pentest done, especially if they have not had one in a while. A goals-oriented pentest should emulate attackers’ activities. Thus, institutions should refrain from telling their pentesters which systems are out of bounds or having them conduct testing from Monday to Friday, 9:00 AM to 5:00 PM. Instead, pentesters must do their best to think like attackers and conduct tests in realistic circumstances and settings. 

Furthermore, institutions should prepare their DFIR teams. It is vital for banks to conduct Purple Team exercises, which is when pentesters (red teams) collaborate with DFIR teams (blue teams) to strengthen their detection and response capabilities.  Among the many lessons learned from the Ramadan War of 1973, anticipating a coordinated attack by a capable adversary, irrespective of conventional wisdom, ought to be at the top of the list.

It is also of major importance that institutions are in close contact with their law enforcement liaisons. Most law enforcement authorities have special task forces for dealing with cybercrime. Institutions must get to know these local task forces and make a habit of attending their knowledge sharing sessions, as well as becoming familiarised with protocols for communications with them. It is best to be prepared ahead of a potential attack, than to have to figure this out in the midst of an incident. 

If institutions need external DFIR support, they should think about getting their company of choice on retainer as soon as possible. Just like with Law Enforcement, it is advantageous to establish a relationship with your DFIR team of choice before an incident occurs, rather than to have to settle for whichever company is available to take your work (since the most specialised or otherwise preferred option is unavailable). It is also worth noting that the best investigators may not necessarily be those associated with the most eye-catching brand names, as many work for smaller firms, or even for themselves. 

Given the heightened tension and instability, now is the time for banks and other financial institutions to prepare themselves against cyberattacks preemptively rather than waiting to react after being compromised. Otherwise they are putting their organisations, customers and shareholders at risk, hoping for a favourable roll of the dice.