Threat Intelligence Blog

Posted April 23, 2019

As in most criminal enterprises, the objective is to make money. It is only natural for cyber criminals to follow the rainbow to the proverbial pot of gold waiting at the end: the institutions holding the United States’ riches. Though this is a high-risk mission, if carried out correctly, cyber threat actors can reap high rewards in exchange for these attacks. Actors will continue to evolve, evading the ever-changing security protocols put into place by financial institutions to thwart them.

The U.S. Financial Services Sector (FSS) is likely the most highly targeted sector; in 2017, 8.5% of all data breaches recorded implicated financial services organizations. Why? Financial organizations protect some of our most sensitive and valuable data: social security numbers, account information, and credit card numbers. Getting ahead these actors requires an understanding of your adversary. In the first part of this series, we will discuss which actors target the FSS and why. In part 2, we explore how these actors perpetrate financial cyber attacks.

Cyber Criminals in the Financial Sector

One highly effective Ukrainian cyber criminal, Sakari, identified by LookingGlass researchers in February of 2019 was found selling the Arcane stealer on a crime forum. Cyber criminals use malware stealers to infect your personal device—enabling them to lift personally identifiable information (PII), credit card numbers, and other banking information. These malware attacks take advantage of the different means consumers use to access their banks and financial institutions and have a big impact on consumers and banks alike. Arcane was marketed as being able to lift autofill information, wallet, and other program information from Windows systems—providing an open backdoor for criminals to enter your banking programs.

The cyber crime underground will continue to flourish in 2019. Your team needs actionable, finished intelligence on threat actors like Sakari to best defend against them. Knowing your adversary enables your team to protect your organization’s assets and data. With reports on websites like Joker’s Stash, which provides new sensitive information almost daily including full credit card numbers, expiration dates, CVV codes, as well as Social Security Numbers and IP addresses, LookingGlass’ finished intelligence reports provide your team the knowledge it needs to know your adversary. Knowing when new stealers and malware are developed will help your organization respond before you are victimized.


Another major actor in the FSS threat landscape are state-sponsored actors; these actors are well armed with the infrastructure and the means of their government behind them. The North Korean government is very active in the space—North Korean hackers are suspected of stealing $100 million USD from banks around the world from 2014-2018. They don’t appear to be slowing down— a North Korean hacker was charged by the DOJ in 2018 for involvement in the WannaCry ransomware.

Nation-states are also targeting cryptocurrencies – because nation-states that often carry out attacks against FSS have heavy economic sanctions placed upon them, like Iran and North Korea, they often turn to cryptocurrency to make money. North Korea is also known to practice cryptojacking to access cryptocurrencies, which can leave backdoors open for other malware. This targeting of the FSS provides a blueprint for countries like North Korea and Iran. If nation-states are targeting your organization, they may be living on your networks for months at a time before extracting information. Keeping your network hygiene, firewalls, and anti-virus software up-to-date is paramount to defending against nation-state actors.


In 2017, hacktivists attacked US state and local governments more than any other threat actor group. Using a campaign known as #OpIcarus, hacktivists launched DDoS attacks against online and mobile finance & banking services, recently targeting Rabobank. Because these cyber attacks are not centrally planned and executed, hacktivists often use hashtags like #OpIcarus to garner support and, in some cases, get help from other hacktivists.

The decentralization of groups like Anonymous have made hacktivist attacks very difficult to predict and hard to defend against. Many hacktivists gather and collect information from social media—LookingGlass recommends good social media hygiene and to be cautious of oversharing, especially for executives and essential personnel. Hacktivists operate and organize on social media sites where your organization posts.

Cyber crime against the financial sector is perpetrated by many groups—and is carried out in a multitude of attack vectors. Knowing your adversary is the first step in creating a proactive security posture to defend your organization against them; the next step is knowing their TTPs. In Part 2 of Follow the Money, we will explore the different attack vectors these threat actors use within financial services. To get more insights on cyber threats to the financial services, learn more about our Finished Intelligence offering or see our white paper on identifying cyber threats in finance.


Additional Posts

LookingGlass Digital Business Roadshow Spring 2019

Get a front row seat to a new perspective on protecting your business from digital risks emanating ...