As the Russia-Ukraine war closes in on its fifth month, many U.S. financial institutions — far from the fighting front, and inundated with other economic, logistical and business concerns closer to home — may let their guards down when it comes to cyber-threats emanating from that foreign war.
But according to research and advice from at least one leading financial technology analyst, now is not the time to drop the ball on cybersecurity and tracking potential intrusions from nation-states like Russia and the cybercrime syndicates they might back.
“The threat is definitely heightened for financial institutions and critical infrastructure across the board," said Tracy C. Kitten, director of fraud and security at Javelin Strategy & Research.
In her research note entitled “Shields Up: How Financial Institutions Should Brace for Targeted Cyberattacks,” Kitten pointed out that as Russia’s real-world onslaught on Ukraine continues, many Western countries, including the United States, have effectively put the thumb-screws to Russia in the form of economic sanctions and the support they are throwing behind Ukrainian military.
“The U.S. government has warned of possible Russian retaliation in the form of cyberattacks against U.S. firms and interests,” she said in the research note.
For months now, financial industry advisers and government notices have notified banks, credit unions and other financial institutions that Russia’s invasion of Ukraine “could impact organizations both within and beyond the region, to include malicious cyber activity against the U.S. homeland,” largely in retaliation for U.S.-imposed sanctions and military support of Ukraine.
However, going back to the earliest guidance issued by the Cybersecurity & Infrastructure Security Agency (CISA) on Feb. 23, just a few days after Russia’s initial invasion of Ukraine, Kitten pointed out that governmental bodies have offered little in the way of “specifics about what banks should do or the types of attacks or vulnerabilities they should look out for.”
To some extent this approach is “likely by design, as publicly disseminated information would also be readily accessible to adversaries,” she said in her research note. Kitten's research note added, “Evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks... Every organization — large and small — must be prepared to respond to disruptive cyber incidents.”
“The issuance of CISA’s ‘Shields Up’ [memo] has not been ignored by financial institutions, but it offers little tangible or new advice,” Kitten said in an interview. “Like with any geopolitical threat, financial institutions stay on heightened alert for attacks that could take them offline, like distributed denial-of-service attacks, or be used as a guise for something else.”
To a great extent, most of the recommendations from CISA and other cybersecurity groups focus on the same basic network security block-and-tackling and incident-reporting that most financial industry compliance and critical infrastructure guidance requires already.
In the wake of the SolarWinds attack 18 months ago, U.S. financial institutions are urged not only to be mindful of the potential impact from head-on breaches to their own networks, but the effect of supply-chain shakeups if Russian or nation-state-backed bad actors intrude on related industries or overarching infrastructure.
“Executives at some of the leading [U.S.] financial institutions have reiterated their commitment to being vigilant against threats from Russia,” Kitten said in her research note. “But Shields Up warnings related to specific threats from Russian attackers have not necessarily altered the normal course of cyber defense for most financial institutions.”
“The posture remains that everything is concerning,” she added, “network monitoring and threat mitigations are constant, and best practices always must be reviewed and routinely followed.”