Bozkurt to Buhtrap: Cyber threats affecting financial institutions in 1H 2016

Michael Marriott | 23 August 2016

At the beginning of 2016, it was reported that two suspected members of the DD4BC, a DDoS extortion group, were arrested in Europe. Throughout 2014 and 2015, DD4BC targeted a number of financial institutions and, according to some reports, were somewhat successful. While these arrests are a great example of the hard work of Europol, it did not, of course, succeed in nullifying the threat posed by DDoS extortion actors. The Armada Collective, Kadyrovtsy and a number of copycat groups, soon filled the void left by DD4BC.

However, for organizations in the financial services industry, it’s about far more than DDoS attacks. Indeed, already in the first half of 2016 (1H) we have observed numerous campaigns, actors and tools that targeted the financial services industry. Our latest whitepaper, Bozkurt to Buhtrap, looks at these trends in a bit more detail.

This report looks at activity we have detected across hacktivism, cybercrime and targeted attacks, between January and the end of June 2016.  

Hacktivism in particular tends to produce a lot of noise and it’s often difficult to pick out what really matters to your organization. A prime example of a hacktivist campaign targeting financial institutions is OpIcarus, which was particularly active in 1H 2016 and, despite high-profile targets, had a limited impact. However, not all hacktivist are made equal, with more advanced skillsets demonstrated by actors such as Phineas Fisher.

Secondly, cybercrime continues to be a concern for organizations.  This includes DDoS extortion and data breaches, but also banking trojans, such as Tinba, Rovnix and BlackMoon. Understanding the various motives, tools and actors allows organizations to better understand the threat and mitigate accordingly.

Finally, there were the more targeted attacks, such as Mossack Fonseca, Buhtrap and the attacks on the SWIFT network. The actors associated with these attacks, in particular, have demonstrated high capability and high intent. Indeed, as shown by the timeline below, the SWIFT network attacks continued over a significant timescale.

 

SWIFT Timeline 

 

In summary, the first half of 2016 (1H) saw plenty of cyber threats targeted at, and relevant to, the financial services industry. Looking back allows defenders to better understand the motivations and tactic, techniques and procedures (TTPs) of the threat actors targeting the financial services sector. 

Of course, retrospective analysis of attacks can only go so far and it’s important to use these trends we have observed in order to forecast what we might expect to see for the rest of the year. 

Download our latest whitepaper to find out more about these threats to financial institutions.