Incident: Cybercriminals Steal $1bn from Banks via Zero Day Attacks

Published Date: 2015-02-17

Postmortem Analysis
Timeline 1. The software failure incident mentioned in the article happened over a two-year period, as reported in the article published on 2015-02-17. Therefore, the incident likely occurred between 2013 and 2015.
System [33463] The software failure incident mentioned in the article does not specify a particular system or component that failed. Instead, it discusses the potential risks and implications of cyber-attacks on banks and the measures being taken to prevent such incidents. Therefore, the specific system(s) that failed in this incident are unknown.
Responsible Organization 1. Cybercriminals [33463] 2. Hackers [33463]
Impacted Organization 1. Banks across 30 countries [33463]
Software Causes 1. Zero day attacks exploiting weaknesses in software before patches are developed [33463] 2. Malware specifically designed to bypass traditional security measures [33463]
Non-software Causes Unknown
Impacts 1. Customers were unable to access their bank accounts online, as seen with the HSBC and NatWest sites being brought to a standstill by hackers [33463]. 2. ATM systems were compromised, leading to cybercriminals stealing more than $40m from 12 debit card accounts via an ATM hack [33463]. 3. A Ukranian cybergang managed to transfer at least $15m from compromised accounts at different US financial institutions to prepaid cards they controlled [33463]. 4. Personal details of customers ended up in the hands of hackers, as seen with the breach at JPMorgan affecting 76m households and 7m small businesses [33463]. 5. The potential for a complete loss of systems in a bank, disrupting its capacity to operate, was highlighted as a worst-case scenario by the Bank of England's executive director [33463].
Preventions 1. Implementing advanced security measures such as sandboxing to isolate and analyze malicious code of zero day attacks before execution could have prevented the incident [33463]. 2. Participating in tailored cybersecurity testing programs like Cbest to identify vulnerabilities in the bank's systems and protect against zero day attacks could have helped prevent the software failure incident [33463]. 3. Recruiting former military intelligence officers and geopolitical analysts to strengthen systems against cyber-attacks could have enhanced the bank's defenses and potentially prevented the incident [33463].
Fixes 1. Implementing advanced security measures such as sandboxing to isolate and analyze malicious code of zero day attacks [33463]. 2. Participating in tailored cybersecurity testing programs like Cbest to identify vulnerabilities and strengthen defenses against cyber-attacks [33463]. 3. Recruiting former military intelligence officers and geopolitical analysts to enhance cybersecurity systems [33463]. 4. Privately sharing information about cyber threats and vulnerabilities with other firms, IT analysts, and government agencies in real-time through platforms like Cisp [33463].
References 1. Security firm Kaspersky Labs [33463] 2. Ross Dyer, UK technical director for Trend Micro [33463] 3. Steve Bell, spokesman for internet security firm Bullguard [33463] 4. Bank of England [33463] 5. Federal Financial Institutions Council (FFIC), a US regulator [33463] 6. Ukranian cybergang [33463] 7. JPMorgan [33463] 8. Andrew Gracie, executive director of the Bank of England [33463] 9. British Banking Association (BBA) [33463] 10. Financial Conduct Authority (FCA) [33463] 11. Joram Borenstein, spokesperson for Nice Actimize [33463]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization <Article 33463> provides information about cybersecurity threats and incidents in the banking sector. It discusses the risks of cyber-attacks, including zero-day attacks, and the potential consequences such as loss of data, disruption of services, and financial losses. The article highlights incidents where banks have been targeted by cybercriminals, leading to financial losses and data breaches. (a) one_organization: The article mentions incidents where specific banks like HSBC and NatWest have been targeted by hackers, leading to disruptions in their online services [33463]. (b) multiple_organization: The article also mentions incidents where cybercriminals targeted multiple banks across different countries, resulting in significant financial losses, such as the multinational gang of cybercriminals stealing up to $1bn from over 100 banks across 30 countries [33463].
Phase (Design/Operation) design, operation (a) The article mentions the danger of zero-day attacks, which exploit weaknesses in software before a patch has been developed. It describes a zero-day attack as a new piece of malware that bypasses traditional security measures, indicating a failure in the design phase of software development [33463]. Additionally, the article discusses the need for banks to shore up their defenses against zero-day attacks, highlighting the importance of addressing vulnerabilities introduced during system development or updates. (b) The article discusses the implications of a cyber-attack succeeding, such as being unable to access bank accounts online, ATM systems falling victim to cyber-attacks, and hackers stealing personal details. These consequences point to failures in the operation phase of software systems, where factors like system operation or misuse can lead to security breaches and data theft [33463].
Boundary (Internal/External) within_system, outside_system (a) within_system: The articles discuss the threat of cyber-attacks on banks, including zero day attacks that exploit weaknesses in software before patches are developed. Banks are urged to strengthen their defenses against such attacks originating from within the system. The Bank of England is encouraging banks to participate in testing programs like Cbest to identify vulnerabilities within their systems [33463]. (b) outside_system: The articles mention incidents where cybercriminals have successfully infiltrated banks and stolen money, personal data, and disrupted services. These attacks originate from outside the system, targeting vulnerabilities within the banks' networks and systems. The article highlights instances where hackers have breached security measures to access sensitive information and carry out fraudulent activities [33463].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: The articles discuss the threat of cyber-attacks on banks, particularly zero day attacks, which exploit weaknesses in software before patches are developed. These attacks are considered non-human actions as they are developed specifically to bypass traditional security measures and are new pieces of malware that no one has seen before [33463]. (b) The software failure incident occurring due to human actions: The articles mention that the weak link in the cybersecurity chain is often the human factor, as seen in incidents where hackers stole data due to the theft of an employee's login credentials [33463]. Additionally, the articles highlight the importance of banks recruiting former military intelligence officers and hiring geopolitical analysts to strengthen their systems against cyber-attacks, indicating the role of human actions in enhancing cybersecurity measures [33463].
Dimension (Hardware/Software) software (a) The articles do not provide specific information about a software failure incident occurring due to contributing factors originating in hardware. (b) The articles discuss the implications of a cyber-attack on banks, focusing on the risks associated with zero-day attacks, malware, and vulnerabilities in software systems. The incidents mentioned involve cybercriminals exploiting weaknesses in software to steal money, disrupt banking services, and compromise personal data. The emphasis is on the importance of banks implementing advanced security measures to protect against software-related attacks ([33463]).
Objective (Malicious/Non-malicious) malicious, non-malicious (a) The articles discuss the threat of cyber-attacks on banks, which can lead to malicious software failures. For example, zero day attacks are mentioned as a significant danger facing banks, where new malware is developed specifically to bypass traditional security measures [33463]. Additionally, incidents of hackers stealing money from accounts, transferring funds, and stealing personal details demonstrate malicious intent to harm the system [33463]. (b) The articles also highlight non-malicious software failures that can occur as a result of cyber-attacks or vulnerabilities in the system. For instance, the mention of ATM systems falling victim to cyber-attacks, disruptions in online banking services, and the potential loss of data or system functionality due to successful attacks indicate failures caused by factors introduced without intent to harm the system [33463].
Intent (Poor/Accidental Decisions) unknown The articles do not provide specific information about a software failure incident related to poor_decisions or accidental_decisions.
Capability (Incompetence/Accidental) accidental (a) The articles do not provide specific information about a software failure incident occurring due to development incompetence. (b) The articles mention incidents where cybercriminals were able to steal money from banks due to cyber-attacks, such as the multinational gang of cybercriminals stealing up to $1bn by infiltrating banks [33463]. These incidents can be considered as software failure incidents occurring accidentally due to the vulnerabilities in the banks' systems that were exploited by hackers.
Duration unknown The articles do not provide specific information about a software failure incident being either permanent or temporary.
Behaviour crash, value (a) crash: The articles mention instances where cyber-attacks have caused systems to crash or be brought to a standstill. For example, both the HSBC and NatWest sites have been brought to a standstill by hackers in the past [33463]. (b) omission: There is no specific mention of a software failure incident related to omission in the provided articles. (c) timing: The articles do not discuss any software failure incident related to timing issues. (d) value: The articles highlight incidents where cybercriminals managed to transfer money incorrectly from compromised accounts at different financial institutions [33463]. (e) byzantine: The articles do not provide information on a software failure incident related to a byzantine behavior. (f) other: The articles do not describe any other specific behavior of a software failure incident.

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (d) property: People's material goods, money, or data was impacted due to the software failure - The article discusses various instances where cybercriminals were able to steal significant amounts of money from banks, such as a multinational gang stealing up to $1bn over a two-year period from more than 100 banks across 30 countries [33463]. - Examples include cybercriminals stealing more than $40m from 12 debit card accounts via an ATM hack and a Ukranian cybergang transferring at least $15m from compromised accounts at US financial institutions [33463]. - Additionally, hackers were able to steal contact details from JPMorgan affecting millions of households and small businesses, highlighting the impact on personal data and potentially leading to financial losses [33463].
Domain finance (a) The failed system in the article is related to the finance industry. The incident involves cybercriminals infiltrating banks and stealing large sums of money, highlighting the cybersecurity threats faced by financial institutions [33463]. The article discusses the implications for personal data and money, the risks of cyber-attacks succeeding, and the measures banks are taking to enhance their cybersecurity defenses in response to these threats.

Sources

Back to List