A question we often get asked is “why would APTs target my organisation, what could a state sponsored attacker possibly want with us?” While the core areas of government and the defence establishment seem like obvious targets, and to most people there is an intuitive understanding of the motivations behind those attacks, you don’t have to wander far from these sectors for the understanding to become a bit more clouded.
One of the more interesting sectors in regard to this, and an area where we find this type of question arises a lot, is the financial services sector. Generally, organisations in the finance sector are above the median in terms of their overall security posture and understand their traditional threats very well. The motivations of their traditional foes, in the form of criminal actors, are comfortingly straightforward and indeed haven’t changed that much from the days of Tommy-gun-wielding public enemies making off on the running boards of vintage Chevys.
Beyond the bank robber motivations what else is likely to drive attacks against this sector?
Aside from the motivation provided by immediate financial benefit, attackers will also take the longer view and go after finance sector companies due to their involvement in sensitive commercial projects. For example where they might provide funding for development, new ventures or exploration, or where they may be involved in merger and acquisition activity. Fairly closely related to this is the likelihood that many finance companies, whether they realise it or not, aggregate information from a wide range of third-party organisations that are valuable targets themselves.
Regardless of specific tasking or immediate prospect of monetisation, this aggregated information is likely to be of great interest to both cyber criminals and more targeted groups alike. This type of information could be capitalised upon by criminal actors for financial benefit through more in-direct means, such as piggy-backing on associated stock movements; and on the targeted side this information is invaluable intelligence for state-owned enterprises on the one-hand, as well as more traditional industrial/commercial espionage on the other. The insight provided by access to this information could be leveraged to provide a competitive edge in commercial negotiations or bidding processes, or through revealing competitor business plans more generally.
Another angle is hinted at by the Gauss infections originally publicised by Kaspersky in 2012. While it is difficult to define the exact intent of the people behind Gauss, the inclusion of capability to target several financial institutions raises interesting questions around targeting by state-sponsored actors. In-keeping with Kaspersky’s proposed attribution of Gauss and its purported siblings (Stuxnet, Duqu and Flame) to an Israeli state entity, one could postulate that such a program would serve to provide valuable FININT to a state intelligence mission, perhaps highlighting the movement of funds which eventually end up fuelling the work of groups of interest such as Hezbollah.
Regardless of whether or not this particular theory is correct, as a general rule a subset of state-sponsored targeted attack groups will have an interest in financial institutions in order to track the finances and financing of groups of interest. While there are often legal frameworks allowing this access and analysis, in situations where this may not be possible through the usual law enforcement means the arts of cyber espionage may be leveraged. In essence this highlights how traditional intelligence gathering for national security related purposes is a likely motivation for state-sponsored groups, alongside the IP theft/economic advantage motivations that have dominated many of the campaigns brought to light in recent times.
Beyond this there is also the as yet hypothetical case of attackers penetrating financial institutions in order to stage tools to facilitate disruption of financial markets, payment systems and global money flow as an offensive capability (getting into that much hackneyed area of Cyber Warfare). Although this has yet to be seen, we have seen some pointers to this previously, in the form of the 2007 Estonian internet attacks and the attacks against Georgian websites during the 2008 Russian-Georgia conflict. While entirely hypothetical at this stage it would seem to be a safe bet that many states would at least consider developing this capability - not to mention the aspirations of hacktivist groups or nationalistically motivated "cyber-militias".