Damaging exposure by WikiLeaks puts CIA’s cyber tools in hackers’ hands

Criminals use leaked techniques to exploit financial systems at small banks, credit unions

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

When Wik­iLeaks released details about the CIA’s arse­nal of hack­ing tools last month, it was like Christ­mas arrived ear­ly for hack­ers who spe­cial­ize in crack­ing into the busi­ness net­works of finan­cial ser­vices companies.

Man­di­ant, the foren­sics divi­sion of mal­ware detec­tion ven­dor Fire­Eye, affirmed as much in its M-Trends 2017 report, issued short­ly there­after. The Man­di­ant report dis­closed how cyber crim­i­nals have quick­ly embraced CIA-type tools to juice up their bank­ing sys­tem attacks.

I spoke to Bob Thi­bodeaux, chief infor­ma­tion secu­ri­ty offi­cer, at Seat­tle-based DefenseS­torm, about this. DefenseS­torm pro­vides a secu­ri­ty ser­vice for com­mu­ni­ty banks and cred­it unions that mon­i­tors net­work traffic—specifically event log data—for mali­cious activities.

Relat­ed info­graph­ic: Cyber rob­bers reel in small banks, cred­it unions

What we are see­ing with the leak of the CIA’s attack tools are that cyber crim­i­nal ele­ments are actu­al­ly tak­ing advan­tage of the knowl­edge of those tools for their attacks,” Thi­bodeaux told me. “We are see­ing them actu­al­ly using the kinds of tac­tics that the gov­ern­ment actors are using to exploit finan­cial firms, specifically.”

These cut­ting-edge attacks are show­ing up in bank­ing sys­tems in south­east Asia, accord­ing to Man­di­ant. But it may be only a mat­ter of time before use of sim­i­lar tac­tics, lever­ag­ing the CIA leak, spread to banks in oth­er regions.

Bob Thi­bodeaux, DefenseS­torm chief infor­ma­tion secu­ri­ty officer

The attack­ers are using tools that Win­dows sys­tem admin­is­tra­tors would use to actu­al­ly stay on the net­work, mon­i­tor traf­fic, fig­ure out how the bank­ing process works, and then steal tens to hun­dreds to mil­lions of dol­lars,” Thi­bodeaux says.

Com­mu­ni­ty banks and cred­it unions in the Unit­ed States are like­ly to be tar­get­ed because they are less well-defend­ed than the big multi­na­tion­al banks.

It is all too typ­i­cal for a small bank or cred­it union to rely on basic net­work defense sys­tems, even though mali­cious probes and com­mu­ni­ca­tions with crim­i­nal com­mand-and-con­trol servers are nonstop.

Unfor­tu­nate­ly, it’s not going to get any eas­i­er for small­er banks and cred­it unions to play catch-up, much less neu­tral­ize cyber attacks over the longer term—without help, Thi­bodeaux says.

One of the rea­sons why we entered into this busi­ness is we want to help these small­er finan­cial insti­tu­tions pro­tect them­selves,” he says. “We know that bud­get is very tight and small­er orga­ni­za­tions don’t have a lot of IT staff. So we can help them, we can do the staff aug­men­ta­tion and be the experts for them.”

More sto­ries relat­ed to Wik­iLeaks and attacks on finan­cial firms:
Cyber rob­bers want cold, hard cash—and they’re find­ing it at small banks, cred­it unions
Small banks, cred­it unions on front lines of cyber­se­cu­ri­ty war
How bad is recent Wik­iLeaks doc­u­ment spill about CIA? Look beyond headlines