Late last year, more than 100 financial-services companies across the world received threats from a group of hackers who claimed destructive attacks would follow unless large payments were made.
The demands started to arrive in late summer, and it quickly became clear they were from the same source, according to the Financial Services Information Sharing and Analysis Center, a cybersecurity consortium of nearly 7,000 financial companies.
“After about four or five members raised their hands to say that they were seeing similar activity, that’s when we started diving into a potential campaign against our members,” said Teresa Walsh, global head of intelligence at FS-ISAC.
The hackers launched distributed denial of service attacks on particular companies to demonstrate their ability to make good on the threats. In DDoS campaigns, a system is flooded with data requests in an attempt to shut it down. In this case, accompanying messages promised more powerful attacks, and daily increases in the amount of money it would take to call them off, if companies didn’t pay.
“This accumulated week upon week. Even months later, we were still seeing extortion emails coming through, and short-lived attacks,” Ms. Walsh said.
The attackers claimed to be from known hacking groups with suspected nation-state ties, such as Fancy Bear and the Lazarus Group, which have been linked to Russia and North Korea, respectively. But the Federal Bureau of Investigation threw cold water on that. On Aug. 28, the agency issued an alert to the private sector, seen by The Wall Street Journal, warning that the attackers were posing as these groups in an attempt to scare targets into paying.
The initial demands were for bitcoin payments equal to $200,000 to $350,000, given bitcoin’s exchange rate at the time. The hackers threatened that their demands would increase daily if they weren’t met.
Ms. Walsh said she wasn’t aware of any FS-ISAC members paying the demands, and only a few follow-up attacks were observed. The global nature of the targets was alarming, she said.
“I was really struck by the scope of the campaign,” she said, citing victims in North America, Latin America, Europe, the Middle East, Africa and Asia-Pacific.
The campaign was notable both for the sprawling number of targets, and the hackers’ solid acquaintance with the structure of financial markets, said Jerry Perullo, chief information security officer at the New York Stock Exchange and its parent company, Intercontinental Exchange Inc.
Demands were sent to a cross-section of the industry—consumer banks, asset managers, clearinghouses, payments companies and credit-ratings firms—but also to companies less known outside the financial sector, such as suppliers of back-office services.
“They definitely did their homework. We saw it not only from the breadth of firms that were targeted, but also in some of the ransom notes. They would cite previous attacks with some specificity in a way that showed that they knew the [financial industry] groupings, if you will,” said Mr. Perullo, who also serves as the chairman of FS-ISAC.
For instance, a note sent to stock-exchange operators cited attacks on other such companies, he said, including New Zealand’s stock exchange, which hackers briefly forced offline in August.
An FS-ISAC representative said they believe it is likely the campaign and that particular attack are linked, but investigations are ongoing. A spokesman for NZX didn’t respond to a request for comment in time for publication.
Each note from the attackers provided payment details for individual bitcoin wallet addresses, instead of the same wallet, Mr. Perullo said. That means the hackers likely zeroed in on individual firms rather than sent threats en masse.
Large companies are generally adept at fending off DDoS attacks, but the demonstrations launched last year were strong enough to unsettle those who got them, Mr. Perullo said.
The only difference between those demonstrations and genuine attacks, he said, was duration: a real attempt to take down a system would have gone on far longer. He estimated the attacks would have been able to fire sustained volumes of around 100 gigabits per second at target servers—far from the strongest such attacks recorded, but powerful enough to cause concern.
to read the original article: