Hackers have been attacking “systemically important financial institutions” in Australia (banks, insurance companies, etc) in a sustained burst, revealing weaknesses that the Reserve Bank of Australia (RBA) says “could present a risk to the integrity and stability of Australian financial institutions”.
What is at risk includes account balances, it says, warning of “loss of data integrity of account balances”. Bank error, but not in your favour.
“Real-life adversaries such as state-sponsored attackers are neither constrained by scope nor time,” the Council for Financial Regulators said. “[Red Team] exercises mimic adversaries through fewer traditional testing restrictions and longer time duration to fully exploit opportunities.”
Red herring
The IT help desk rings. It’s Bob. He’s going to fix the problem you’ve been having on your work computer. He just needs you to give him the access code. What do you do?
After that he was in. Behind the scenes, in the system, able to do damage.
The only good news is that Bob’s not a Russian or a Chinese agent. He’s not organised crime either. He’s getting paid so he doesn’t need to steal. Bob is a hacker who came to the light side, doing what they call “Red Team” work in a new program run by the Council for Financial Regulators. (The RBA chairs the council.)
Red Teams probe big companies using real hacker techniques — lying to people, dropping dodgy USBs full of malware, exploiting the company WiFi, emailing staff impersonating other people. Their tactics are informed by what Australia’s spy agencies say our enemies will do: try to steal data, plant code that can destroy systems, install ransomware, put through illegitimate transactions, etc. When Red Teams go to work, staff are not told it is happening.
Australian Red Team professional Riley Kidd puts it like this: “One of the first scoping questions we ask is: ‘What’s the worst thing that can happen to your business?’ And then we try to do it.”
Bob’s story of his successful hack is beautifully told; I recommend it to you. It’s anonymised so we have no idea if the story applies to a major Australian bank. But it might. Because we know “Bob’s” company is a big Red Team provider in Australia, and we know the big banks just went through a Red Team exercise.
Red Team spills blood
The first Red Team attacks against Australia’s major financial institutions recently concluded and the results are apparently not something to be proud of.
The first attack was a pilot program, focusing only on a “small number of systemically important financial institutions”. What it found is concerning: “Common strengths among the participating institutions, as well as weaknesses that could present a risk to the integrity and stability of Australian financial institutions.”
For a country like Australia where mortgage debt is so large and the banks are such an enormous share of our economy and sharemarket, bank “integrity and stability” are critical.
What kind of attack could affect stability? If banks, payment systems or the stock exchange are taken offline for extended periods, or if bank balances or transaction data are disrupted, the effect on confidence could be huge. Financial institutions rely on confidence to survive. It’s oxygen for them. Nobody leaves their money in a bank they think could lose it, or leave them unable to access it.
And when the financial system wobbles, the economy tends to collapse, as the global financial crisis showed us. The stakes are extremely high.
Cyber time
The RBA has been worried about cyber risk for a while but the concern is turning to fever pitch. It is responsible for Australia’s financial stability, and as the next graph shows, its biannual review of the issue — historically about bad lending and prudential regulation — is increasingly about cyber risks and hacking (excluding a dip in 2020 when it worried about a more traditional kind of virus).
Russia’s invasion of Ukraine raises the probability of hacking attacks against the West. The RBA said in its most recent financial stability review that “a significant cyber event is inevitable and could have systemic implications”.
Inevitable.
Now the RBA knows how important confidence is for financial stability. It wouldn’t use the word “inevitable” unless it really meant it. It is obviously desperate for the banks to ramp up investment in cyber defences.
I contacted the big four banks to ask how the Red Team pilot program went. They were all very tight-lipped. I asked some soft questions such as: is the bank investing in cyber defence? And I asked questions they’d rather not hear, such as: are people’s bank balances safe? Some dodged, some didn’t even reply. I got no answers.
However, as the guiding framework for the hacking exercise lays out, the “remediation plan should be considered very sensitive and valuable to adversaries”. So reticence is probably strategically wise.
From the RBA I got two one-word responses. It told me, yes, the feedback phase after the Red Team attacks is over, and, yes, it provides impetus to invest more in cyber defence.
We are left to draw our conclusions about just how bad things might be from the information it has already published, which is not comforting:
“Cyber attacks are more likely than other types of incidents to be systemic: a well-resourced and sophisticated adversary seeking to cause widespread distress will actively exploit cyber vulnerabilities to maximise the impact of their attack (including by affecting multiple institutions),” says the Financial Stability Review.
“Cyber-attackers could be motivated by financial gain or a desire to disrupt — the latter is more concerning because it is harder to defend against.”
Banks may not say it but they are obviously shoring up defences. If you look on major job websites you can find big banks hiring cybersecurity professionals directly and through job agencies. Westpac is looking for someone with expertise in the “Cyber Kill Chain”, for example. But there’s a massive shortfall of experienced cybersecurity professionals.
“In the last year, there were 21,000 cybersecurity roles advertised in Australia, up from 14,000 in the previous reporting period,” former AustCyber CEO Michelle Price said. “But despite a 50% increase in job advertisements, the skilled workforce only grew by 25%. This data shows a significant gap in our skilled workforce, and we don’t see this demand slowing.”
Pay in the sector is high. Lots of job agencies and recruiters are hiring for anonymous clients, with some paying around $1000 a day.
We can only hope the banks use their deep pockets to get the people they need to keep our bank balances — as well as our financial system and economy — safe.
This article was first published by Crikey.