Should credit unions and others expect cyberattacks from Iran?
Some security experts have warned that Iranian hackers may go after U.S. targets, including financial services companies, in retaliation for the U.S. government's assassination of Iranian military leader Qassem Soleimani.
Esmail Ghaani, Soleimani’s replacement as head of Iran’s army, said on Monday that "God the Almighty has promised to get his revenge" for the killing of Soleimani on Jan. 3, the Associated Press reported, and that actions would "certainly" be taken.
The Financial Services Information Sharing and Analysis Center, which gathers cyberattack reports from thousands of U.S. banks, credit unions and other groups, said that it is “closely monitoring recent geopolitical developments on behalf of our members. We have advised our members to remain vigilant as we continue to actively monitor the situation.”
Joe Krull, senior analyst at Aite Group, said he sees danger for U.S. financial institutions.
“What greater revenge from a symbolic point of view but to go after American money?” he said.
Iranian hackers are good at cyberattacks, and by targeting financial institutions, “they can claim victory, but it doesn't necessarily warrant a military response, so they can do it and get away with it as opposed to blowing up an American embassy,” he said. “If I were a chief information security officer for a bank or a financial services company, I would be updating my run books for incident response.”
Al Pascual, co-founder and chief operating officer of Breach Clarity, said financial services executives would be right to be concerned.
“Iran has promised to deliver ‘hard revenge’ on America, but there is no appetite for direct confrontation with the U.S., so physical strikes against our assets will be off the table while President Trump is in office,” said Pascual, who until recently headed up cybersecurity research at Javelin Strategy & Research.
Attacks on U.S. interests, including Middle Eastern allies, and cyberattacks on critical infrastructure are real possibilities, he said.
"And of all of our infrastructure, an assault on our financial system would conceivably be viewed as the least likely to draw a conventional response while still sending a message to an administration that has made the performance of the economy a proof point of its success,” Pascual said.
The possibility of cyber attacks could be especially alarming for credit unions, some of which -- paricularly at the smaller end of the asset spectrum -- don't have the same defenses as larger institutions. While they might not be as alluring a target from a financial perspective, analysts have often suggested smaller shops that aren't as well protected are easier targets for cyber criminals, even if less money is at risk than at larger FIs.
However, commercial banks themselves are less inviting targets than other financial ones because they have strengthened their security after the attacks of the last decade.
“Instead, I would imagine that U.S. organizations that are critical to facilitating financial transactions, like consumer or commercial payments and trading activity, will be at the top of Iran's hit list,” he said.
Ilia Kolochenko, founder and CEO of the web security company ImmuniWeb, does not expect an immediate threat to U.S. banks, but for a different reason: Iranian hackers, he said, have already broken into all the U.S. companies they consider targets.
“I think in the near future we will not observe major cyberattacks triggered by the military operation in question,” said Kolochenko, who was a former penetration tester and information-technology security expert at several financial institutions.
“Enemies of the U.S. have already silently breached what they could, stealing valuable information including intelligence data, intellectual property and trade secrets," he said. "The majority of sophisticated ... threats have already happened. Regrettably, their complexity often makes them undetectable and uninvestigable. Today the attackers are unlikely to expose their invisible presence in compromised and back-doored systems by inflicting highly destructive actions.”
Kelly King, the chairman and CEO of Truist Financial, on Tuesday seemed to allude to the Middle Eastern situation in discussing broader conditions affecting banks, though he did not name Iran or single out cybersecurity concerns.
Just two weeks ago, the world was in what he described as a period of "stable unrest." Now,"it is hard to predict where things will go," the head of the company formed from the merger of BB&T and SunTrust Banks said in remarks to a business gathering in Durham, N.C. "You can only hope and pray things will not escalate."
Iranian hackers have a history of going after U.S. banks
In 2011 and 2012, the Izz ad-Din al-Qassam Cyber Fighters launched dozens of distributed-denial-of-service attacks against U.S. banks. (In a DDoS attack, hackers flood a web server with fake or malicious traffic in an attempt to slow down or completely shut down that server.)
The hackers said they were outraged by an anti-Islamic film called "Innocence of Muslims" that had been posted to YouTube. However, forensic evidence suggested their motive was retaliation for U.S. malware attacks against Iranian nuclear facilities in 2010.
Banks responded by investing in content delivery networks that weed out suspicious web traffic and block bad actors.
In January of this year, the U.S. government warned that Iranian hackers were infiltrating banks, government agencies and energy companies and gaining intelligence about U.S. infrastructure for future attacks.
The government is "aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies," said Christopher Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.
At that time, the hackers were deploying “wiper” attacks. A wiper is a class of malware whose intention is to wipe the hard drive of the computer it infects. It often enters a company through common tactics like spear phishing, password spraying and credential stuffing. Krebs advised shoring up basic defenses by using multifactor authentication and taking other security precautions.
What tactics will they use this time?
If they do attack, Krull anticipates Iranian hackers will opt for ransomware, rather than repeat the DDoS attacks of nearly a decade ago.
“Ransomware is the attack du jour right now,” he said. “Iran’s forte right now is malware that creates damage.”
Krull was involved in the remediation process for Iranian hackers’ Shamoon attack on Saudi Aramco in 2012.
“They literally had to take tens of thousands of computers and bury them in the sand because they were rendered useless,” he said.
In 2014, Iranian hackers launched a malware attack on computers at Las Vegas Sands, a casino and resort company led by Sheldon Adelson. The attack wiped out three quarters of the company's Vegas-based servers, which cost it an estimated $40 million in equipment costs and data recovery.
Krull could envision this happening to a midsize bank.
“That would be a wonderful revenge attack, so that suddenly some regional bank can't recover any of their desktops,” he said.
They might steal data such as customer records and hold it hostage.
“I'm not sure they're going to go after JPMorgan Chase or Bank of America, but I could see them going after a regional bank that maybe doesn't have the same level of protection that the majors do,” Krull said.
The obvious security measures — monitor network access, make sure anti-malware software is up to date — may not work against this sophisticated adversary.
“If it's a nation-state attack, none of those things are really going to help you,” Krull said. “What I would do is I would look at the ability to respond and recover.”
A bank or credit union might want to do an exercise to get ready for a potential nation-state attack to make sure all its procedures are up to date. It is also a good idea to alert employees to be extra vigilant about watching out for suspicious emails. Phishing is a common entry point for malware.
Krull further advises banks to offload key files or resources if they are not needed. For instance, if customer data has been gathered for a marketing campaign that may not launch for a few months, that could be put in offline storage “until this weird period passes,” he said.
Krull also recommended analyzing third-party relationships for security vulnerabilities. Payment service providers could be targeted especially.