Russian Bank Robbers

10440901073?profile=RESIZE_400xThe financial sector is a prime target for criminal cartels and nation-state actors. Criminals seek a lucrative market, and nation-states treat profit as a form of sanctions-busting. The high volume of Russian-speaking gangs and the current sanctions against the Russian state makes Russia a major threat to financial institutions today.

The reason that financial institutions are under constant attack is simple: that’s where the money is today.  This is no different than the statement made by the famous 1930’s bank robber, Willie Sutton, when asked why he robbed banks, his reply was, “I rob banks because that is where the money is.”  The 21st Century bank robbers are advanced criminal gangs (often part of a larger cartel) and nation-states.  The nation-state attackers are particularly North Korean or Russian, where the proceeds are used to offset sanctions.  According to the World Economic Forum, the proceeds associated with the dark web are more than $1 trillion per year and it is estimated that more than 50% of that goes right back into the Russian economy.  Or President Putin’s personal bank accounts

The complexity of the Russian threat comes from the connections between the criminal cartels and the Russian state agencies.  Consider ransomware; most of the ransomware gangs are Russian speaking, which is why most ransomware will not detonate on anything that has a Russian language package,” he said.  “But in order to exist as a ransomware gang, typically part of a larger cybercrime cartel, you have to pay homage to the GRU [the foreign military intelligence agency of the General Staff of the Armed Forces of the Russian Federation] and the FSV [the Federal Security Service of the Russian Federation].

The way you do that is to share your information or more specifically, access to the RAT you left behind.  And if called upon to be patriotic, you may be called upon to be more destructive in your endeavors within the financial institutions.  ‘Destructive’ in the finance sector, does not mean the deployment of a wiper to destroy systems, but manipulation of the data to make it wrong or worthless.

The Russian government doesn’t want to take down the financial sector, because they are regularly robbing it to offset economic sanctions.  What they will typically do is leverage destructive attacks as part of the counter incident response when they realize that law enforcement has become involved.   While ransomware is up this year, it does not represent the primary source of income for criminals.  This comes from market manipulation through the abuse of stolen financial information.

Financial acumen might help with malicious digital insider trading, but it is far from necessary.  Understanding that non-public market information is worth more than money because you can benefit from understanding non-public market information.

Investigators report that a simple way of getting this information is to target the laptops used by the people that manage the portfolios and market strategies of the financial institutions.  Criminals can spy on them until they see a major position about to be taken, or find a presentation that will be made to the senior management.

Present in all financial institutions there is always a surveillance department that conducts traditional surveillance for regulatory compliance on everyone who conducts finance. Unfortunately, there is a disconnection between the surveillance department and the cybersecurity department.  The surveillance department is looking for a traditional insider threat rather than a digital insider threat.  A trader might not have been a threat, but there was something on his machine that could be used by others as an advantage.

One of the biggest year-on-year threats reported has been called island hopping.  Island hopping is similar to supply chain threats, but different because in the finance sector there is no clearly defined end target, as a prime contractor.   Each hop opens multiple new possibilities (targets) and the criminals will not stop “hopping” as more targets emerge.

The concern over cryptocurrency exchange security is not because they are financial institutions, but precisely because, in the technical sense, they are not financial institutions.  In short, they are not controlled or regulated in the same way as official financial institutions.  The security of crypto exchanges is minimal because of an over-reliance on the security of blockchains.  Many of these exchanges realize that they are complicit in the laundering of cybercriminal proceeds, and they just turn a blind eye to it because they don’t have any reporting requirements and they still earn their fees.[1]

But at the same time, financial institutions are moving to fintech through digital transformation.  The financial institutions are trying to become part of the new digital world and they are partnering with these exchanges and virtual currencies to facilitate adoption and greater liquidity for proceeds from retail customers.  Where this becomes interesting and potentially damaging is in the use of APIs between the two organizations, and the ongoing surge in API attacks.  As a result, the poor security posture of a crypto exchange could lead to island hopping via an API into the financial institution.

It is currently the practice that CISOs at financial institutions still report to the CIO. Cyber threat professionals have stated the opinion that if there was ever an industry that necessitates the CISO to be more significant than the CIO, it is finance.   There may be a conflict of interest for a CIO to be managing a CISO in the financial sector. The charter of financial institutions is safety and soundness and trust and confidence. But in the age of digital transformation for financial institutions, the CIO will inherently increase the attack surface.  The CISO is more concerned with risk management and risk management should be the dominant paradigm in finance.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.   For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or    


Weekly Cyber Intelligence Briefings:


Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings:



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!