THIS THREAT BULLETIN IS PROVIDED FOR SITUATIONAL AWARENESS
Background
PolySwarm recently published a Special Report, Threat Bulletin, and blog posts discussing Russia-Ukraine tensions and the potential for both kinetic and cyber conflict. In Russia-Ukraine Conflict and Cyberwar Implications, we discussed political tensions between Russia and Ukraine, past cyber altercations between the two nations, and potential cyber and kinetic implications if the current conflict escalates. In Armageddon Activity Targeting Ukraine, we provided commentary and IOCs for ongoing cyber activity targeting Ukraine, which industry analysts attributed to the Russian state-sponsored threat actor group Armageddon.
In the face of these ongoing tensions, Britain’s National Security Center, the European Central Bank, the New York Department of Financial Services, and other financial institutions in the US and Europe have issued alerts indicating possible cyber-attacks perpetrated by Russian threat actors. Some of the alerts warn sanctions and penalties against Russian entities may provoke Russia to retaliate with cyber attacks. Several major banks are now preparing for a potential attack, with some engaging in cyberwar games to test their preparedness against sophisticated attackers.
Motivation for Retaliation?
Along with imposing sanctions, Western nations have reportedly considered cutting Russia off from the Society for Worldwide Interbank Financial Telecommunication (SWIFT) if Russia invades Ukraine. SWIFT is a Belgium-based cooperative society that acts as an intermediary for banking transactions worldwide. SWIFT connects over 11,000 members in over 200 countries and territories. Western countries have toyed with the idea since 2014. At the time, Russian businessmen and politicians stated a SWIFT ban would equate to an act of war.
A country cut off from SWIFT would become reliant on domestic investors and would have to create or scale an alternative system for financial transactions. In Russia’s case, the country has extensive reserves and has its own alternative system, Sisteme Peredachi Finansovykh Soobshchenii (SPFS). By 2020, over 400 Russian banks had joined SPFS, and the system was being used for about 20% of domestic banking settlements. Only twelve foreign organizations currently use SPFS. No European or US banks are currently part of SPFS, and only one Chinese bank, Bank of China, has joined. While SPFS may be adequate for domestic banking, it is unlikely to suffice for international transactions on a mass scale.
In 2018, the West faced a similar situation with Iran. The US imposed sanctions, citing political tensions and Iran’s support of terrorist organizations as motivation. SWIFT also suspended some of Iran’s banks in conjunction with those sanctions. At the time, the US feared retaliation in the form of cyberattacks on its financial institutions. This fear likely stemmed from the Operation Ababil attacks on US banks in 2012 and 2013, which were attributed to the threat actor group Izz ad-Din al-Qassam Cyber Fighters, a group linked to the Iranian government. However, the expected retaliation never materialized.
Analysis
State-Sponsored Activity
While Russia may view some financial sanctions as an act of war and retaliate by targeting financial institutions, there is currently little precedent of state-sponsored Russian threat actor groups attacking US banks. In 2015, security company Root9B reportedly uncovered plans by APT28 to attack several banks in the US and UAE, as well as non-profit organizations. However, the Root9B report is no longer available to provide further context. APT28, also known as Sofacy or Fancy Bear, is a Russian-nexus threat actor group, active since at least 2004. APT28 typically engages in espionage activity and is allegedly affiliated with Russia’s General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS), military unit 26165.
Criminal Activity
Russian threat actors targeting US financial institutions tend to be financially motivated threat actor groups, likely operating as an organized crime ring with no government backing. While this activity may continue, it is unlikely to be related to the current geopolitical climate.
Hacktivist Activity
Based on past events, there is a possibility of pro-Russia hacktivist groups targeting US banks. In 2014, the politically motivated hacktivist group CyberBerkut attacked a Ukrainian bank and published customer data on a Russian-language social media site.
Unintended Consequences
Barring Russia from SWIFT could have unintended consequences for Western nations, particularly the US. Disrupting the Russian financial system would negatively impact countries that have business relationships with Russia, with significant fallout. Such a move could also lead countries who have tense relations with the US to seek an alternative to SWIFT for fear of sanctions. This scenario, although hypothetical, could lead to a chain of events resulting in trade disruptions and devaluation of the American dollar.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports