Financial Sector Terrorism Threat GrowsRisk Posed By ISIS Continues to Increase, Experts Warn
Senior U.S. and U.K. law enforcement officials are warning that there's an increasing risk that financial markets and banking institutions will be targeted by cyberterrorists.
Beginning in early 2015, the New York District Attorney's Office and the City of London police, who respectively have oversight over the financial markets in New York City and London, say they will begin embedding permanent members of staff in each other's organization to facilitate better cross-border collaboration.
New York District Attorney Cy Vance announced the arrangement Nov. 19 at a Federal Reserve Bank of New York cybersecurity symposium, together with City of London police force commissioner Adrian Leppard. "The same people that are hitting us in New York are very likely hitting Adrian in London," Vance told the symposium, reports Time. Vance noted that the two groups' offices had already worked closely together to investigate an account takeover and money-laundering scheme involving user accounts at eBay subsidiary Stubhub. Ultimately, three Americans and three Russians were charged with stealing 1,600 accounts and more than $1 million in tickets.
The move to increase cross-border coordination comes as attacks against financial sector institutions have continued to escalate, as well as in the wake of increasing fears over the likelihood that terrorists groups might attempt to trigger widespread outages or chaos.
"There could be a very serious impact to the financial institutions of the world through a cyber-attack, and I think it's a very strong likelihood that it will happen one day in the future, which is why we've got to push back and take action now before it happens," City of London police commissioner Leppard tells the Financial Times. Of particular concern, he says, is the Islamic State, better known as ISIS or ISIL, (see What Cyberthreat Does ISIS Pose?).
Leppard's warning echoes that of Benjamin Lawsky, who heads the New York Department of Financial Services. In September, Lawsky voiced concerns over the potential damage that an "Armageddon-type cyber event" could wreak havoc on financial markets. "Cybersecurity experts will tell you when they get in a room with a bunch of CEOs to talk about this, there's only two types of people they meet: people who have been hacked and know it and people who have been hacked and don't know it," Lawsky said at a recent event, the Guardian reports.
Already, of course, financial exchanges have been regularly targeted by attackers, although their intentions aren't always clear. "Evidence [suggests] that all of the stock exchanges in the world have been breached in the last 10 years, Nasdaq, London Stock Exchange, all of them," London police commissioner Leppard told the Financial Times. Likewise, numerous banks have been breached, including JPMorgan Chase. Based on what's been publicly disclosed about the investigation of the Chase breach, neither the attacker, nor the goal of the attacks, is clear.
Of course, law enforcement agencies and policymakers have been warning for years that extremist groups might target so-called critical infrastructure, referring to everything from power grids and water supplies to the health system and banking industry. The vast majority of that infrastructure is privately owned.
Some security analysts question the usefulness of warnings, such as that issued by Leppard. "The commissioner does not appear to have been drawing upon any specific intelligence, but merely citing ISIS as a well-known terrorist group for illustration," threat-intelligence sharing firm iSight Partners says in a research note. "Predicting that cyber-attacks will occur against UK banks at some point in the future seems more designed to generate political impetus for change than provide any actionable information."
But information security expert Mikko Hypponen, who's the chief research officer for anti-virus vendor F-Secure, based in Helskinki, Finland, says that law enforcement agencies are correct in their assessment of the increased risk to the critical infrastructure posed by extremist groups. "Should we take them seriously? Yes, we should," Hypponen tells Information Security Media Group. "Have we seen online terror attacks? Not yet. But the situation is not getting better. It's getting worse."
In 2012, at the RSA information security conference, Hypponen delivered a "Terrorist Groups in the Online World" presentation, which featured the results of his research into how terrorist groups were operating online. At the time, he said that while "terrorists and extremist groups who want to kill people use the Internet," they most often use it to communicate with each other, as well as to run propaganda sites. One example was the gruesome "baghdadsniper" site, which was apparently run by a group of snipers in Iraq who specialized in killing Western military personnel and posting related videos.
Since then, however, extremist groups have continued to refine their skills. "The research I did in 2012 was valid at the time: there were no terror groups with a credible capability of doing online attacks at the time," Hypponen says. "That has now changed with ISIS."
Hackers Are Joining ISIS
Rather than developing hacking skills internally, furthermore, ISIS has been attracting new recruits that already have serious information security skills, Hypponen says. "ISIS has among their roster several western hackers who have moved to Syria or Iraq and are operating among them," he says. "Some of them are good enough to be taken seriously. ISIS also operates sites in the deep Web - Tor hidden services - that are asking for donations for the Islamic State in bitcoins."
ISIS has also been developing online courses, with members "actively educating each other on hacker tactics," he says, citing as just one example an ISIS online course about how to use the open source Metasploit penetration testing toolkit.