The top ten financial cyber threat actors

Due to the nature of its business and the way in which it functions, the financial sector is a prime target for cyber criminals. The major cyber threats facing these institutions include ransomware, phishing, malware, digital fraud, vulnerability exploitation, supply chain issues, and DDoS attacks.

A brief overview of some of the groups currently targeting the financial sector follows.

WizardSpider: this Russian-speaking cybercrime group has been operating campaigns since at least 2016. It is responsible for malware such as Trickbot, Anchor, and BazarLoader, as well as Ryuk, Conti, and Diavol ransomware. Trickbot is one of the most advanced cybercriminal malware platforms, with a vast number of modules and lateral movement capabilities. It aims to persist in networks undetected and collect sensitive information. Once Trickbot has established persistence, WizardSpider deploys its ransomware.

WizardSpider also sells Trickbot as a Malware-as-a-Service (MaaS) to other cybercriminals, as well as state-sponsored groups. The MaaS is only offered to other groups with a proven reputation for buying and selling products and services.

Lazarus is a highly active group sponsored by the North Korean government. It distributes its own version of Trickbot. This APT has been in operation since at least 2009. It is responsible for hundreds of attacks using various types of custom malware, wipers and botnets, which it continually develops. The group has targeted numerous countries and all sectors, including finance, government and military.

It is widely believed that Lazarus was responsible for the theft of 81 million dollars from Bangladesh Bank in 2014, the compromise of Polish Banks in 2016 and the WannaCry ransomware attacks in 2017. Recently, the operators have also been directing their attentions towards cryptocurrency: earlier this year the FBI confirmed that the group was responsible for the theft of around $620million in ether cryptocurrency from an online game called Axie Infinity. It is believed that the North Korean regime deploys the expertise of hacker groups such as this to raise funds for their missile and nuclear programmes.

EvilCorp developed the Dridex banking Trojan, which has targeted multiple organisations around the world and is one of the longest-standing malware in circulation. The group comprises two Russian individuals, Maksim Yakubets (also known as Aqua) and Igor Turashev, both of whom were indicted for their parts in international computer hacking and bank fraud schemes perpetrated since May 2009. The group also developed the Gozi ISFB malware. The US National Crime Agency (NCA) has described EvilCorp as the world’s most harmful cybercrime group because of the sophistication of its hacks, and its large-scale operation. It has stolen tens of millions of dollars from banks worldwide by continuously improving its malware to stay ahead of static protection systems. Its malware is still in circulation.

DeathStalker has been in operation since at least 2018, targeting finance and technology companies worldwide. The group is described as an opportunistic and financially-motivated threat actor, responsible for the distribution of the EvilNum malware.

A new campaign conducted by threat actor TA4563 was recently identified. This threat actor was seen utilising EvilNum malware to target European entities within the financial and investment sectors, specifically focusing on foreign exchanges, cryptocurrency and decentralised finance (DeFi) organisations. It is possible that TA4563 is another name for DeathStalker.

Cobalt has been linked to the theft of more than one billion euros from 100 banks in 40 countries. The group specifically targets ATMs for jackpotting. Russia has been disproportionately affected by Cobalt, with the group using the country as a testbed for many years. Researchers believe that the operators may be Russian. Recently, Cobalt has moved away from targeting financial institutions in Russia towards other countries, including in Europe, Central and East Asia, the Middle East, and South America.

GoldLagoon is a financially-motivated threat actor that has been active since 2007, and is believed to be the developer and pusher of the Qakbot (Qbot) malware. This is an information-stealing malware first discovered in 2017 and sold as a Malware-as-a-Service which has numerous capabilities such as credential theft, spam delivery, interception and manipulation of web traffic with webinjects, and remote access. Qakbot has more recently been used as an initial access vector for multiple ransomware campaigns, such as Egregor, which has since shut down, REvil, which recently returned, and BlackBasta.

FIN7 (often referred to as Carbanak) is an active international cybercriminal group that first emerged in 2013. It has infiltrated Russian and Ukrainian banks, as well as retail firms and hospitality organisations in Europe, the US and Japan. It targets stolen financial data from Point-of-Sales (PoS) systems, or in some cases, fiat currency from ATMs.

FIN7 typically carries out in-depth reconnaissance of its targets to craft specially designed spear-phishing emails for their intended victims. Once it has successfully compromised a bank it begins to artificially inflate account balances and transfers the excess funds to an outside account (often using the SWIFT network). Further, it creates fake accounts and uses mule services to launder and eventually receive the funds. The most common tools used by the group include Carbanak, SQLRAT, and CobaltStrike.

TA505’s intrusions go back as far as 2014, but were first disclosed in 2017. The group uses both commodity and custom malware, infostealers, and banking Trojans such as Amadey, TrickBot, and Dridex. The group is believed to be based in Russia.

TA505’s spam email distribution campaigns are often followed by ransomware attacks. Like many highly skilled cybercrime gangs, the operators aim to deploy ransomware across compromised networks and have used more than five different varieties in the last two years, including GandCrab. TA505 now uses Clop ransomware, which also has its own darknet leak site for the publication of stolen data.

Notably, TA505 has ties to both the Lazarus group and Silence APT, suggesting that it purchases and provides malware to threat actors and nation-state groups at the highest end of the cybercriminal ecosystem.

Silence consists of two Russian-speaking individuals believed to be former or current security professionals whose aim is to target financial institutions. There is evidence to suggest that the group has been operational since 2016, with its first two attacks against the

Russian Central Bank’s Automated Workstation Client failing. The group is thought to be responsible for a massive phishing campaign targeting Russian banks in 2018. Since then it has expanded its operations to include attacks on banks in Central Asia, Ukraine, India, South Korea, the UK, Australia and Bangladesh.

TA505 also has links with Clop, a ransomware group that has been highly active since January 2020. Most recently, Clop has listed Softeq as a victim on its leak site. Softeq provides IT services to a number of large organisations, including Microsoft, HP, Verizon, Epson, Lenovo, Coca Cola, Samsung Intel, NVIDIA, and Disney, illustrating the vulnerability of companies to attacks on a third-party supplier.

A large number of cybercriminal groups fall under the Magecart umbrella: with at least 12 known clusters. They are responsible for widespread card-skimming campaigns that have affected potentially thousands of online merchants and e-commerce sites. The gangs and individuals behind the operations encompassed by the Magecart name are organised and becoming increasingly professionalised. They have been very successful and often operate undetected on the target system for some time.

It is believed that those responsible for producing the skimmer usually make their money from selling the data to criminal gangs (or agreeing to a cut of the profits made), who then use it in a variety of ways. Threat group FIN6 (also known as ITG08) has potential links to Magecart: in September 2019, the group moved from attacking organisations via spear-phishing attacks to targeting e-commerce businesses in the US and Europe using online skimming attacks.

Along with state-sponsored groups or highly organised cybercriminal enterprises, the threat of attacks from hacktivist collectives such as Anonymous should not be lightly dismissed as largely ineffective hacking sprees being carried out by “script kiddies”. While these groups tend to focus on issues such as human rights or government corruption, they have also been known to gather together to target the financial sector as part of their fight against capitalism. One prominent example of this was #OpIcarus, a multiphase operation which began in 2018: the hacktivists’ goal was to take down websites and services associated with the global financial system via the use of DDoS attacks and data leaks. Among the targets were the New York Stock Exchange, Bank of England, Bank of France, Bank of Greece, Bank of Jordan and the Bank of South Korea.

More recently, and as part of their efforts to disrupt the activities of the Russian financial sector due to the invasion of Ukraine, the ITArmyofUkraine has been targeting Russian banks: in November 2022 they attacked Alfa Bank and leaked data from the Central Bank of Russia.

The examples given above illustrate just a brief overview of the various cyber threats faced by banking organisations worldwide. What is notable is that while the nature of cyber-attacks may change, the ultimate aim of cybercriminals targeting the financial sector is always the same: monetary gain.

It is particularly important to remember that banks, insurance companies and other institutions active in this sector will be affected by attacks on all organisations, due to the customer data that they hold, and of course the implications of having to deal with financial losses suffered by clients.

Organisations can never be certain that they will not suffer an attack, but they can take steps to lessen the chances by implementing appropriate and stringent cyber-security policies and practices. Data must be backed up and preferably stored separately. Systems must be updated and software patches applied as quickly as possible. And finally, all staff – from boardroom level downwards – must be given regular training in cyber-security practices to defend against the disaster a cyber-attack is likely bring, whether in financial or reputational terms.

Scroll to Top