European banks remain an important hacking target after the Russian invasion of Ukraine
|Portugal’s Millennium BCP was subject to a distributed denial of service attack in October.
Source: Jasper Juinen/Getty Images News via Getty Images Europe.
The massive and devastating Russian-led cyber attacks that politicians and industry insiders feared would hit European banks after the invasion of Ukraine have so far not happened. But smaller and more damaging hacks on banks, which may not be Russian state-linked, are on the rise.
So-called distributed denial of service, or DDoS, attacks on European banks have increased “significantly” since the start of the war in Ukraine, according to Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, a cybersecurity firm. Portugal’s Banco Comercial Português SA, better known as Millennium BCP, was hit by a DDoS attack on October 3, resulting in a 90-minute blackout.
DDoS attacks can involve malicious actors bombarding banking websites and apps with so much traffic that legitimate customers cannot access their accounts. They are usually short-lived, but industry experts say the attacks pose a serious and persistent risk to banks in Europe, with both revenues and reputations at stake.
“The financial sector has become a major target in Europe, especially in countries that are considered allies of Ukraine or that are seen as some form of threat to Russia by hacktivists,” Hoffman said.
The scourge of DDoS attacks
While major attacks on European banks and payment infrastructure have so far been absent, hacks that have temporarily locked customers out of websites and apps have been plentiful. It is not known for certain whether these attacks are linked to Russia, but cyber security experts say they have seen clear patterns since February.
A Millennium BCP spokesperson declined to comment when asked about the perpetrator of the attack, but said it was “targets for intense and illegitimate requests from outside Portugal to the bank’s website and apps.”
In an attack following a similar typology in February, Russian military hackers temporarily shut down Ukrainian banks, Joint-Stock Company Commercial Bank Privatbank and the The State Savings Bank of Ukraine.
Russia has also been on the receiving end of attacks, and Sberbank of Russia fended off a major attack in early October, where its systems were raided by 104,000 hackers from 30,000 entities operating outside the country, local media Kommersant reported, quotes the bank’s deputy chairman, Stanislav Kuznetsov. The bank has been hit by 470 attacks this year alone, more than the total number of attacks in the past seven years combined, the report said.
Banks are generally a popular target for DDoS attacks, according to David Elmaleh, director of product management at Imperva, a cybersecurity firm. Almost a third of all DDoS attacks registered in the second quarter in all industries were on banks, according to Imperva’s research.
What’s notable about DDoS attacks is that they are often the “method of choice” for hacktivists and for cyberwarfare, Elmaleh said. Imperva found a 70% increase in DDoS attacks in March, coinciding with the invasion of Ukraine, suggesting they are being used as a tool of warfare, he said.
“Nation-state actors are typically less interested in financial gain and instead motivated by causing disruption or using DDoS attacks as a smokescreen to smuggle malware into a network,” Elmaleh said.
Still, the potential financial blow to banks from a DDoS attack should not be underestimated, according to Nisha Sanghani, partner at Ashurst Risk Advisory.
A DDoS attack can cost a company between £140,000 and £2 million, according to research by cyber security firm NETSCOUT. The cost to a bank could potentially be a “significant multiple” of the highest estimate provided by NETSCOUT, Sanghani said, and there’s also the matter of reputational damage.
“Given the risk profile of a bank, and the very public impact of reputational damage, it is likely to take longer for the website to be brought back online and for the bank to fully recover. Any denial of service attack is therefore likely to have a serious effect both at the time of the attack and in the period after, she said.
There are fears in the industry that cybercriminals could next attack market infrastructure, such as the SWIFT payment network, with serious consequences for the entire industry, Sanghani warned.
“In addition to dealing with sanctions imposed, it is feared that Russia may feel that an attack on a market infrastructure such as SWIFT is a more attractive target than an individual bank given that a cyber attack on SWIFT would have a damaging and significant impact on the global financial network as a whole,” she said.
SWIFT did not respond to a request for comment.
The European Central Bank and the US Federal Reserve Bank both warned commercial lenders in February, as an invasion of Ukraine began to look imminent, that they should prepare for an onslaught of Russian-sponsored hacks.
And when the European Commission shut out seven of Russia’s largest banks from the SWIFT messaging system in early March, cybersecurity experts warned that Russia could retaliate by launching crippling cyberattacks against European banks.
But so far, no Russian state-linked attacks on European banks involving theft, destruction of infrastructure or visible tampering with online content have taken place – or at least none that have been made public.
“There is a general feeling that Russian capabilities around cyber attacks may not be as strong as expected,” said Cassandra Pagan, Advisory Principal, Cyber and Quantification at S&P Global Market Intelligence. “There’s a lot of hacking activity going around, but the Russians haven’t come out in the full-blown, devastating attack that many had expected.”
However, it is possible that Russia is playing a long game, Pagan added. Espionage, rather than destruction or disruption, may be the ultimate goal of Russian state-backed hacks, especially when it comes to foreign banks, Pagan said.
In this case, dramatic attacks on banks would be counterproductive for hackers, as it would make it difficult to stay hidden, she said.
This is not an entirely hypothetical scenario. The SolarWinds hack, a massive cyberattack that took place in 2020 and was attributed to Russian sources, allowed hackers to quietly access the systems of large companies and government departments around the world, then went undetected for months. Among the targets was Danmarks Nationalbank, the Danish central bank.
The U.S. and U.K. both sent signals to Russia that cyberattacks would be retaliated in kind, which may explain the absence of physical attacks so far, according to Marcos Alvarez, senior vice president, head of insurance, global financial institutions at DBRS Morningstar. It could also be that US capabilities in this realm are stronger, he added.
“The threat is limited for now,” Alvarez said. “But it’s still there.”