Financial

The malicious actors behind these attacks include not only increasingly daring criminals, such as the Carbanak group, which targeted financial institutions to steal more than $1 billion during 2013-18, but also states and state-sponsored attackers (see table). North Korea, for example, has stolen some $2 billion from at least 38 countries in the past five years.

Financial services companies are Attackers known to have targeted the financial sector ATK243 ATK157 ATK206 ATK2 Actors in Finance breaches over time Cost of data leaks in the finance sector Measured in US$ millions Healthcare $7.13 $6.39 $5.85 Energy Financial well aware of the problem and are working hard to combat cybercrime, but huge amounts of money are still being siphoned off every year by cybercriminals ($4.2B in 2020 according to the FBI).

State-sponsored adversaries may attack the financial services sector to the extent that it disrupts an activity essential to the functioning of a state. In 2020, New Zealand stock exchange was halted by a DDoS cyber attack, disrupting during two days the cash and debt market.

In summary, the motivations of the attackers can be divided into several categories: purely financial (96%), espionage (3%) grudge (2%), Fun (1%), ideology (1%).

In the financial sector, in 51% of those cases, the attackers succeeded in encrypting company data. But 62% of victims said they were able to restore fully from backups, and only 25% paid a ransom, the second lowest payment rate of all industries surveyed, 7% below the average.

In 2021, 44% of the breaches in this vertical were caused by Internal actors (having seen a slow but steady increase since 2017) (Figure 2). The majority of actions performed by these individuals are accidental actions, including sending emails to the wrong people, which account for 55% of all error-based breaches (and 13% of all breaches for the year).

​

​

​As shown in figure 3, healthcare, energy and financials services and pharmaceuticals experienced an average total cost of a data breach significantly higher than less regulated industries such as hospitality, media and research. This can also be explained by the value of the assets detained by financial services. Indeed, bank account and credit card number are high value commodities for cybercriminals looking to monetize information on Dark Web forums.

Cyber-extortion actors have understood that well and often target financial institutions specifically. Banco BCR, the largest state-owned commercial bank of Costa Rica was hit twice by Maze operators in a one-year span. The Maze team boasted about having exfiltrated over 11 millions credit card credentials.

​

​

In March 2021, the Chicago-based insurance company CAN Financial fell victim to an attack by ransomware. The attackers masqueraded the malware as a fake browser update to gain initial access to the system. More than 15,000 servers were encrypted by the Phoenix Locker, a malware officially developed by the Phoenix threat actor but believed to have a connection with Evil Corp. Sensitive personal information (SSN, medical records, etc.) was stolen by the attackers and the 7th largest insurance company in the US decided to pay off the amount of the ransom, which, at $40 millions, is the highest amount ever recorded.

Threat actors are increasingly turning to large-scale frauds, targeting directly banks networks rather than relying on stolen payment information in order to achieve fraudulent transaction. One player that illustrates this trend is the Lazarus Group. Affiliated to North Korea, the group has pioneered the targeting of SWIFT terminals. SWIF is a messaging network providing financial institutions with a secure place to perform monetary transactions.