Cybersecurity: Nation-State Actors, Encrypted Cybercrimes and Man-in-the-Middle Attacks

CNN recently reported that the banking industry generally escaped the devastating impact of the global WannaCry ransomware attack.1 Evidence is mounting steadily that North Korea was linked to this cyberattack and blame has also been directed at other countries.2

This article sheds light on the perplexing issue of cyberattacks by nation-state actors, given its diverse mix of stakeholders, disinformation, political and financial motivations, tools and methods deployed. In addition, this article explores two other cybersecurity concerns that impact financial transactions: encrypted cybercrimes and man-in-the-middle attacks.

Nation-State Actors

Discussions of financial system vulnerabilities have been broadened to include warnings of cyberattacks by nation-states and their proxies.3

BankInfoSecurity4 and CNN5 recently reported on evidence that North Korea-linked hackers—a group referred to as Lazarus or Bluenoroff—have been behind recent cyberattacks on financial institutions in Africa, Asia, Europe, the Middle East and Latin America. Funds stolen through these cyberat-tacks have allegedly advanced North Korean nuclear weapons development.

International concern about nation-state sponsored cyberattacks on banks and other critical infrastructure date back at least 10 years.6

In 2007, Estonian authorities alleged that computer hackers, aligned with the Russian government, launched distributed denial-of-service (DDoS) attacks against Estonian banks and government agencies. These cyberattacks were reportedly a Russian response to an Estonian decision to move a Soviet World War II memorial from downtown Tallinn, leading to protests from the Russian government and ethnic Russians in Estonia. The Russian government denied involvement.7

In 2008, Georgian banks, government agencies and infrastructure were the targets of similar DDoS attacks, reportedly executed by computer hackers aligned with the Russian government. These cyberattacks coincided with Russian military action to curb Georgian efforts to increase its control over the South Ossetia and Abkhazia regions, which have had historically strong ties to Russia. The Russian government denied involvement.8

Fast forward to 2015, when U.S.- and U.K.-based banks topped the list of the world’s largest and most interconnected global banks, as if to foreshadow cyberattacks targeting larger financial institutions that could have broader global consequences.9

In 2016, cyberattacks aligned with North Korea were in the news. Specifically, the North Korean government was suspected of launching cyberattacks against Asian banks in South Korea, the Philippines, Vietnam and Bangladesh for financial gain.10

In addition, in 2016, the U.S. Justice Department charged seven computer specialists, who reportedly performed work on behalf of the Iranian government, with cyberattacking U.S. financial institutions, such as Bank of America, NASDAQ, the New York Stock Exchange, Capital One Bank, ING Bank, Branch Banking and Trust Company, Fidelity National Information Services, U.S. Bank and PNC Bank.11

Cyberattacks by nation-state actors, unscrupulous business competitors and their proxies may target not only personally identifiable information, but also corporate intellectual property, competitive trade secrets and confidential business information.12

Encrypted Cybercrimes

Encryption is the conversion of data into another form or code, so that it might be read only by those who have access to a secret decryption key or password. Ciphertext refers to encrypted data. Plaintext refers to unencrypted or decrypted data.13

Warnings of cyberattacks by nation-states and their proxies have led information security leaders to support stronger encryption, so that data and financial transactions might be protected from malware and malicious third-party eavesdropping. In addition, cybersecurity leaders have opposed requirements for backdoors that could weaken encryption.14

However, stronger encryption can make financial crimes investigations more complex, as criminal organizations and terrorists take advantage of encrypted communications to evade detection.

North Korea has been linked to recent ransomware cyberattacks, in which hackers demand that victims pay a Bitcoin ransom for a decryption code to unlock data encrypted by a virus that infected the victim’s computer or smartphone.15 Evidence is mounting steadily that recent WannaCry ransomware attacks were orchestrated by North Korean hackers who operate in other countries.16

North Korean representatives at the U.N. have denied links to the global WannaCry ransomware cyberattack. They have also denied the recent cyber hacking of a U.N. expert, who monitors violations of sanctions that are designed to prevent North Korean weapons development.17

To gain access to global banks and financial services, North Korea has reportedly evaded sanctions imposed by the U.N.18 and the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC),19 by channeling transactions through agents and front companies operating outside of North Korea. North Korea also restarted its Cold War-era practice of using shortwave radio to broadcast encrypted messages, which may be directed at its spies or agents operating outside of North Korea.20

Latin American drug cartels have reportedly laundered money and created investigative blind spots by using encrypted networks21 and apps to shield their electronic communications from surveillance.22

The Islamic State of Iraq and Syria (ISIS) has reportedly shielded its online communications from detection by using free TrueCrypt encryption software, which has been one of the strongest encryption programs since its release in 2004.23

In 2016, the Miami Herald reported the arrest of three members of Hezbollah, the Middle Eastern terrorist group that was suspected of laundering cocaine money for a Colombian cartel. The suspects reportedly used a complex global web of encrypted communications and financial transactions to move $500,000 into banks in Miami.24

Encrypted communications and financial transactions may still be subject to legally compelled production and criminal investigations.25

Man-in-the-Middle Attacks

The European Banking Authority recently called for stronger encryption to secure communications for payment services and to prevent both manipulation by, and misdirection of communications to, unauthorized parties through man-in-the-middle attacks.26

In a man-in-the-middle attack, a cyber-attacker intercepts a user’s online communications. Through this interception, the cyber-attacker might gather information as it is transmitted over the network. Computer and handheld device users are vulnerable to such attacks. Encryption can provide an effective safeguard against man-in-the-middle attacks.27

International cybercriminal groups have used man-in-the-middle attacks to intercept corporate payment requests, with the ultimate goal of having payments made into accounts that they control.

One such cybercriminal group included 49 suspects in Belgium, Cameroon, Georgia, Italy, Nigeria, Poland, Spain and the U.K. The 49 suspects allegedly used man-in-the-middle attacks to divert international fraudulent payments totaling 6 million euros over a relatively short period of time. European law enforcement made this investigation public following arrests of the 49 suspects, searches of 58 properties and seizures that included computers, disks, telephones, handheld devices, credit cards, SIM cards, memory sticks, forged documents and bank account documents.28

The FBI has warned of internet scams that similarly involve financial losses from man-in-the-middle attacks, including the email-related international Business Email Compromise (B.E.C.) scheme and Operation Romeo and Juliet, which involves victims who are targeted when they subscribe to online dating services.29

Vulnerable Wi-Fi hotspots expose personal and work devices to significant cyberattacks and financial losses. Yet, public awareness of this vulnerability is relatively low. Use of unsecure Wi-Fi hotspots can expose users to man-in-the-middle attacks that allow cybercriminals to invade personal privacy, including location-based tracking, message interception and conversation eavesdropping.30

Related cyberthreats include man-in-the-browser attacks, which can put online banking at risk. Man-in-the-browser attacks may allow a cyber-attacker to use a malware trojan to bypass encryption and intervene undetected in a legitimate authenticated online financial transaction. Such undetected intervention may allow the cyber-attacker to modify the financial transaction as it occurs.31 Other related cyberthreats include man-in-the-mobile, man-in-the-app, man-in-the-cloud and man-in-the-IoT attacks.32

In conclusion, on the perplexing issue of cyberattacks by nation-state actors, responses may include the following:

  • Research cyberattacks by nation-state actors and commercial and governmental responses to such cyberattacks. Online search terms like “advanced persistent threats” (APTs) may be helpful. APTs often cover large-scale cyberattacks incited by nation-states—such as China, Russia, Iran and North Korea33—or by hacking groups, companies or organizations that serve as their proxies.34 APTs may also include cyberattacks that are directed at major institutions by foreign terrorists and criminal organizations.35
  • File timely suspicious activity reports (SARs), pursuant to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network’s recently issued advisory to financial institutions on cyber-events and cyber-enabled crime.36
  • In addition to filing SARs, other public-private information sharing options may include those outlined by the Cybersecurity Information Sharing Act of 2015 (CISA),37 a U.S. federal law designed to encourage public-private information sharing on cyberthreats.38 Please note:
    • CISA is not a substitute for other federal reporting, such as timely SAR filings.39
    • CISA submissions must be attentive to information privacy and cybersecurity concerns, given the possibility of a CISA data breach by cybercriminals, including nation-state actors and their proxies.40
    • CISA has been criticized by information privacy and civil liberties groups, like the Electronic Frontier Foundation (EFF)41 and the American Civil Liberties Union (ACLU).42
  • Join the call for stronger international agreements and alliances among governments and law enforcement agencies, prompted by the recent wave of cyberattacks backed by nation-states.43 Microsoft’s president recently called on world governments to develop and adhere to global cybersecurity rules—essentially a modern-day “Digital Geneva Convention”—that would deter cyberattacks by nation-states.

On the encryption of cybercriminal communications and financial transactions, responses may include forced decryption,44 subpoenas and search warrants,45 detentions46 and prosecutions,47 although information privacy and civil liberties groups, like the EFF and the ACLU,48 have raised significant objections. To look into ransomware related news and prevention tools, online search terms like “cyber extortion,” “digital blackmail” and “cyber shake-down” may be helpful.49

On man-in-the-middle and man-in-the-browser attacks, responses may include cybersecurity solutions, such as virtual private network (VPN) services,50 multi-factor authentication, digital signing and timely security updates to operating systems, applications and antivirus protection.51

To succeed in today’s global business and political climate, financial institutions must be attentive to political ambitions and financial motivations behind cyberattacks

To succeed in today’s global business and political climate, financial institutions must be attentive to political ambitions and financial motivations behind cyberattacks. Cybersecurity risk management must be responsive to such evolving realities and to tools and methods—such as encrypted cyber-crimes, ransomware and man-in-the-middle attacks—that may be deployed by nation-state actors, unscrupulous business competitors, proxies, drug cartels and terrorist groups.

Miguel Alcántar, CAMS-FCI, compliance advisor, Oakland, CA, USA, alcantar@aya.yale.edu

For information on how you can identify where your organization is most vulnerable to a cyber-attack, please visit: http://www.acams.org/cyber-enabled-crime-training/.

  1. Mark Thompson and Jethro Mullen, “World’s biggest cyberattack sends countries into ‘disaster recovery mode,’” CNN, May 14, 2017, http://money.cnn.com/2017/05/14/technology/ransomware-attack-threat-escalating/
  2. David Josef Volodzko, “Is North Korea Behind WannaCry Virus?,” South China Morning Post, May 20, 2017, http://www.scmp.com/week-asia/geopolitics/article/2094980/north-korea-behind-wannacry-virus
  3. Gary Robbins, “Waging war with no bombs or missiles,” San Diego Union-Tribune, October 28, 2016, http://www.sandiegouniontribune.com/news/science/sd-me-cyber-warfare-20161014-htmlstory.html
  4. Jeremy Kirk, “Kaspersky Links North Korean IP Address to Lazarus,” BankInfoSecurity, April 4, 2017, http://www.bankinfosecurity.com/kaspersky-links-north-korean-ip-address-to-lazarus-a-9810
  5. Jose Pagliery, “North Korea-linked hackers are attacking banks worldwide,” CNN, April 4, 2017, http://www.cnn.com/2017/04/03/world/north-korea-hackers-banks/
  6. Robert Windrem, “Timeline: Ten Years of Russian Cyber Attacks on Other Nations,” NBC News, December 18, 2016, http://www.nbcnews.com/storyline/hacking-in-america/timeline-ten-years-russian-cyber-attacks-other-nations-n697111
  7. Associated Press, “A look at Estonia´s cyberattack in 2007,” NBC News, 2009, http://www.nbcnews.com/id/31801246/ns/technology_and_science-security/t/look-estonias-cyber-attack/
  8. Jeremy Kirk, “Georgia cyberattacks linked to Russian organized crime,” Computerworld, August 17, 2009, http://www.computerworld.com/article/2527019/government-it/georgia-cyberattacks-linked-to-russian-organized-crime.html
  9. Paul Glasserman and Bert Loudis, “A Comparison of U.S. and International Global Systemically Important Banks,” United States Treasury Department, Office of Financial Research (OFR) Brief Series 15-07, August 4, 2015, https://www.financialresearch.gov/briefs/files/OFRbr-2015-07_A-Comparison-of-US-and-International-Global-Systemically-Important-Banks.pdf
  10. Nicole Perlroth and Michael Corkery, “North Korea Linked to Digital Attacks on Global Banks,” New York Times, May 26, 2016, https://www.nytimes.com/2016/05/27/business/dealbook/north-korea-linked-to-digital-thefts-from-global-banks.html
  11. “United States of America v. Ahmad Fathi, Hamid Firoozi, Amin Shokohi and Sadegh Ahmadzadegan a/k/a ‘Nitr0jen26,’ Omid Ghaffarinia a/k/a ´ PLuS,´ Sina Keissar, and Nader Saedi a/k/a ´Turk Server,” Sealed Indictment 16 CRIM 48, United States District Court Southern District of New York, https://www.justice.gov/usao-sdny/file/835061/download
  12. Steve Bychowski, “Cybersecurity 2017–The Year In Preview: Trade Secret Theft Takes Center Stage,” Security, Privacy and The Law, November 21, 2016, http://www.securityprivacyandthelaw.com/2016/11/cybersecurity-2017-the-year-in-preview-trade-secret-theft-takes-center-stage/
  13. Nate Lord, “What Is Data Encryption?,” Digital Guardian, January 27, 2017, https://digitalguardian.com/blog/what-data-encryption
  14. Robert Ackerman Jr., “The Rise of Nation-State Cyber Attacks Makes Encryption More Crucial Than Ever,” RSA Conference, September 20, 2016, https://www.rsaconference.com/blogs/the-rise-of-nation-state-cyber-attacks-makes-encryption-more-crucial-than-ever#sthash.QHab4cq4.dpuf
  15. Paul Mozur and Choe Sang-Hun, “North Korea’s Rising Ambition Seen in Bid to Breach Global Banks,” New York Times, March 25, 2017, https://www.nytimes.com/2017/03/25/technology/north-korea-hackers-global-banks.html
  16. Choe Sang-Hun, Paul Mozur, Nicole Perlroth and David E. Sangermay, “Focus Turns to North Korea Sleeper Cells as Possible Culprits in Cyberattack,” New York Times, May 16, 2017, https://www.nytimes.com/2017/05/16/world/asia/north-korea-cyber-sleeper-cells-ransomware.html?_r=0
  17. Michelle Nichols, “North Korea says linking cyber attacks to Pyongyang is ‘ridiculous,’” Reuters, May 19, 2017, http://www.reuters.com/article/us-cyber-attack-northkorea-idUSKCN18F1X3
  18. “Report of the Panel of Experts established pursuant to resolution 1874 (2009) – S/2017/150,” United Nations Security Council, February 27, 2017, http://www.un.org/ga/search/view_doc.asp?symbol=S/2017/150&Submit=Search&Lang=E
  19. “Treasury Imposes Sanctions on Supporters of North Korea’s Weapons of Mass Destruction Proliferation,” United States Department of the Treasury, September 26, 2016, https://www.treasury.gov/press-center/press-releases/Pages/jl5059.aspx
  20. Choe Sang-Hun, “North Korea Revives Coded Spy Broadcasts After 16-Year Silence,” New York Times, July 21, 2016, https://www.nytimes.com/2016/07/22/world/asia/north-korea-spy-radio-broadcasts.html?_r=0
  21. Alan Feuer and William K. Rashbaumjan, “U.S. Prosecutors Outline Case Against Mexican Drug Lord El Chapo,” New York Times, January 20, 2017, https://www.nytimes.com/2017/01/20/nyregion/el-chapo-guzman-mexican-us.html?_r=0
  22. Patrick Howell O´Neill, “How a drug cartel used encryption and a fake website to launder millions,” The Daily Dot, October 17, 2016, http://www.dailydot.com/layer8/mexican-cartel-encryption/
  23. Evan Ratliff, “The Strange Origins of TrueCrypt, ISIS’s Favored Encryption,” The New Yorker, March 30, 2016, http://www.newyorker.com/news/news-desk/the-strange-origins-of-truecrypt-isiss-favored-encryption-tool
  24. David Ovalle, “State: Hezbollah-linked group laundered drug money through Miami banks,” Miami Herald, October 11, 2016, http://www.miamiherald.com/news/local/crime/article107366182.html
  25. Dan Terzian, “The Fifth Amendment, Encryption, and the Forgotten State Interest,” UCLA Law Review, 61 UCLA L. Rev. Disc. 298 (2014), http://www.uclalawreview.org/pdf/discourse/61-19.pdf
  26. “Final Report – Draft Regulatory Technical Standards on Strong Customer Authentication and common and secure communication under Article 98 of Directive 2015/2366 (PSD2),” European Banking Authority, February 23, 2017, https://www.eba.europa.eu/documents/10180/1761863/Final+draft+RTS+on+SCA+and+CSC+under+PSD2+%28EBA-RTS-2017-02%29.pdf
  27. “Alert (TA15-120A) Securing End-to-End Communications,” United States Computer Emergency Readiness Team (US-CERT), United States Department of Homeland Security, September 29, 2016, https://www.us-cert.gov/ncas/alerts/TA15-120A
  28. Jeff Goldman, “Cybercriminals Use Man-in-the-Middle Attacks to Steal 6 Million Euros,” eSecurity Planet, June 12, 2015, http://www.esecurityplanet.com/hackers/cybercriminals-use-man-in-the-middle-attacks-to-steal-6-million-euros.html
  29. Vicki D. Anderson, “FBI Warns of Rise in Schemes Targeting Businesses and Online Fraud of Financial Officers and Individuals,” FBI, March 29, 2016, https://www.fbi.gov/contact-us/field-offices/cleveland/news/press-releases/fbi-warns-of-rise-in-schemes-targeting-businesses-and-online-fraud-of-financial-officers-and-individuals
  30. Michael Covington, “Free Wi-Fi and the dangers of mobile Man-in-the-Middle attacks,” betanews, October 8, 2016, http://betanews.com/2016/10/08/free-wi-fi-mobile-Man-in-the-Middle-attacks/
  31. Dauda Sule, “Man in the Browser—A Threat to Online Banking,” ISACA Journal, Volume 4, 2016, https://www.isaca.org/Journal/archives/2013/Volume-4/Documents/13v4-Man-in-the-Browser.pdf
  32. Michael Gregg, “Six Ways You Could Become a Victim of Man-in-the-Middle (MiTM) Attacks This Holiday Season,” Huffington Post, November 12, 2016, http://www.huffingtonpost.com/michael-gregg/six-ways-you-could-become_b_8545674.html
  33. Frank J. Cilluffo, “Emerging Cyber Threats to the United States,” United States House of Representatives testimony, February 26, 2016, http://docs.house.gov/meetings/HM/HM08/20160225/104505/HHRG-114-HM08-Wstate-CilluffoF-20160225.pdf
  34. Tom Spring, “Nation States Distance Themselves from APTs,” Threatpost, February 14, 2017, https://threatpost.com/nation-states-distancing-themselves-from-apts/123711/
  35. Limor Kessem, “Organized Cybercrime’s New Bull’s-eye: Bankers,” SecurityIntelligence, April 8, 2016, https://securityintelligence.com/organized-cybercrimes-new-bulls-eye-bankers/
  36. “FIN-2016-A005 Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime,” United States Department of the Treasury – Financial Crimes Enforcement Network, October 25, 2016, https://www.fincen.gov/sites/default/files/advisory/2016-10-25/Cyber%20Threats%20Advisory%20-%20FINAL%20508_2.pdf
  37. S. 754, “Cybersecurity Information Sharing Act of 2015,” Congress.gov, October 27, 2015, https://www.congress.gov/114/bills/s754/BILLS-114s754es.pdf
  38. Brad S. Karp, “Federal Guidance on the Cybersecurity Information Sharing Act of 2015,” Harvard Law School Forum on Corporate Governance and Financial Regulation, March 3, 2015, https://corpgov.law.harvard.edu/2016/03/03/federal-guidance-on-the-cybersecurity-information-sharing-act-of-2015/
  39. “Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015,” United States Department of Homeland Security, United States Department of Justice, June 15, 2016, https://www.us-cert.gov/sites/default/files/ais_files/Non-Federal_Entity_Sharing_Guidance_%28Sec%20105%28a%29%29.pdf
  40. Robyn Greene, “Is CISA gift-wrapped for hackers and nation-state actors?,” TheHill.com, August 3, 2015, http://thehill.com/blogs/pundits-blog/technology/250070-is-cisa-gift-wrapped-for-hackers-and-nation-state-actors
  41. Lee Tien, “EFF Strongly Opposes CISA Cyber Surveillance Bill and CFAA Amendment,” October 22, 2015, Electronic Frontier Foundation, https://www.eff.org/deeplinks/2015/10/eff-strongly-oppose-cisa-cyber-surveillance-bill-and-cfaa-amendment
  42. Eliza Sweren-Becker, “Congress Working in the Dark on Cybersecurity Bill,” ACLU.org, November 17, 2015, https://www.aclu.org/blog/free-future/congress-working-dark-cybersecurity-bill
  43. Dustin Volz, “‘Digital Geneva Convention’ needed to deter nation-state hacking: Microsoft president,” Reuters, February 14, 2017, http://www.reuters.com/article/us-microsoft-cyber-idUSKBN15T26V
  44. Dan Terzian, “Forced Decryption as a Foregone Conclusion,” California Law Review Circuit, Vol. 6, May 2015, http://www.californialawreview.org/wp-content/uploads/2015/05/TERZIAN_27.pdf
  45. John M. Cauthen, “Executing Search Warrants in the Cloud,” FBI, October 7, 2014, https://leb.fbi.gov/2014/october/executing-search-warrants-in-the-cloud
  46. David Kravets, “Man jailed 16 months, and counting, for refusing to decrypt hard drives,” Ars Technica, February 12, 2017, https://arstechnica.com/tech-policy/2017/02/justice-naps-man-jailed-16-months-for-refusing-to-reveal-passwords/
  47. Orin Kerr, “The Fifth Amendment limits on forced decryption and applying the ´foregone conclusion´ doctrine,” Washington Post, June 7, 2016, https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/06/07/the-fifth-amendment-limits-on-forced-decryption-and-applying-the-foregone-conclusion-doctrine/?utm_term=.7462c3b87571
  48. “Brief of Amici Curiae Electronic Frontier Foundation and American Civil Liberties Union in Support of Movant-Appellant and Reversal,” United States Court of Appeals Third Circuit, No. 15-3537, April 6, 2016, https://cdn.arstechnica.net/wp-content/uploads/2016/04/effamicus.pdf
  49. Cheryl Tang, “Are All Ransom Attacks Considered Ransomware?,” Imperva.com, June 22, 2017, https://www.imperva.com/blog/2017/06/are-all-ransom-attacks-considered-ransomware/
  50. Max Eddy, “The Best VPN Services of 2017,” PCMag, July 19, 2017, http://www.pcmag.com/article2/0,2817,2403388,00.asp
  51. “Protecting Online Customers from Man-in-the-Browser and Man-in-the-Middle Attacks,” Arcot, http://www3.ca.com/~/media/Files/whitepapers/protection-from-mitm-mitb-attacks-wp.pdf

Leave a Reply