Matthew Gracey-McMinn/Netacea
Feature Alternative Lending Digital Banking Savings And Investment
Cyber warfare: How prepared are fintech startups for cyber escalation by Russia?
The West is on high alert for cyber-attacks by Russian hackers, with the US launching its ‘Shields Up’ campaign and the NCSC issuing regular advice to UK businesses. AltFi speaks to cyber-security fintechs to get their views on the security situation.
As sanctions tighten, fears have mounted among Western financial institutions around the possibility of Russia taking warfare into the cyber domain. Financial infrastructure is now more digitised than ever – introducing new vulnerabilities that cyber-hackers could look to exploit – and some Western companies had been using Russian cyber-security providers before the conflict.
Under Russian law, the private sector is obliged to assist the Federal Security Service (FSB) if ordered, so it is possible that companies are called upon to act against Western economies on behalf of the state.
“Despite the best intentions of regulators, the world’s financial system remains the biggest, most critical, and yet most obscure network underpinning our global economy and societies,” says Martin Rehak, co-founder and CEO of Resistant AI, a fintech providing machine-learning and AI solutions to protect financial institutions from cyber breaches.
Ring-fencing financial cybersecurity has become much more challenging in the context of technological development. It has also given rise to a host of highly specialised fintechs within the cyber-security space, focusing either on a specific risk or financial service, according to Matthew Gracey-McMinn, head of threat research at Netacea.
Companies like Netacea, Ravelin and Resistant AI have found their niche in aspects ranging from business logic attacks (Netacea) to payments (Ravelin) and automated financial services (Resistant AI), specialising in their fields to stay ahead of cyber criminals.
Potential fall-out
“Cyber warfare is a very new thing – it’s not well explored and there are no real rules,” says Matthew Gracey-McMinn, head of threat research at Netacea. “It’s also difficult to differentiate between cyber warfare, cyber harassment, cyber espionage, and cyber propaganda operations.”
Russian cyber-attacks are certainly not unprecedented and have often been directed at acquiring intellectual property, financial plans, or pure disruption of critical infrastructure.
Attacks by Russia this year have so far been limited to Ukrainian targets – with the most recent incidents taking place in January and February before the invasion started, including a large-scale cyber-attack on some of Ukraine’s largest financial institutions.
Historical attacks unconnected to the Russia-Ukraine conflict have been damaging too, however. The ‘NotPetya’ malware worm attack in 2017 caused $10bn of damage to computer systems across financial, energy and government institutions, and the National Cyber Security Centre (NCSC) put out a statement in 2020 confirming its belief that the Russian military was “almost certainly responsible”.
How great is the risk?
“Financial institutions are always popular targets for cyber-criminal actors,” says Gracey-McMinn. “A lot of cyber-criminal actors do work as mercenaries for states – often multiple states – which again makes attribution hard.”
In terms of vulnerabilities, the NCSC maintains that for most people and enterprises, “the biggest risks remain a) not keeping software up-to-date, b) poor network configuration management, and c) poor credential management”.
According to Gracey-McMinn, another risk is the human factor, which the recent Lapsus$ breaches also evidence. Netacea helps to prevent so-called business logic attacks, which, according to the firm’s recent survey across 440 UK entities, were responsible for £250m of losses per year.
These sorts of attacks don’t require as much technical know-how, but exploit the human factor in obtaining account login information and accessing systems from the inside, often via ‘bot attacks’.
Gracey-McMinn doesn’t expect cyber attacks by Russian forces to differ much from non-wartime attacks, in terms of the actual strategies employed.
“I don’t see cyber warfare attacks being hugely different to those already coming out of cyber-criminal organisations,” says Gracey-McMinn. “The main differences would likely be the targets – being geostrategic in the case of cyber-warfare. But how businesses respond to the attacks will likely be the same.”
Hiding in plain sight
As such, most financial institutions are already prepared to face these risks given their usual cyber protocols, according to Netacea. What’s more, the company says it’s a myth that attacks emanate predominantly from geopolitical aggressors such as Russia.
Recent research by the company found that just over a third of businesses detected threats from Russia and China. Meanwhile, around half of businesses detected threats from the US and the UK, and many more have been detected from throughout Europe.
Gracey-McMinn instead believes that a possible side-effect of the Russia-Ukraine crisis is that other cyber-criminal actors seek to take advantage of the “fog of war” to carry out their own attacks.
“If you look back over the past few years, ransomware attacks have caused a lot of disruption,” says Gracey-McMinn. “The focus at the moment is all on the possibility of cyber warfare and the fall out of that, but cyber-criminal activity is actually happening. We need to be focusing on the real risks facing businesses now.”
What can businesses do?
As countries wait to see how the conflict might escalate, cyber-security firms recommend that companies consider securing their external-facing assets and backing-up their critical assets in case the security environment deteriorates further over the coming months. But Netacea is keen not to overhype the situation, particularly while things remain so uncertain.
“The risks for businesses are very similar to what they always have been,” says Gracey-McMinn.
“My advice to businesses regarding the geopolitical situation is to pay attention to national advisories, like the NCSC, follow their advice, and undertake accurate risk assessments.”
Resilient AI believes that investing in technological prevention solutions also remains key.
“The path to a financial system that actually benefits law-abiding citizens lies in nimble, fast-deploying and fast-updating multi-model AI anomaly detectors that can explain each and every finding at scale,” says Rehak. “That path will require constant collaboration between machines, financial crime investigators, and data scientists.”
Meanwhile, the NCSC is optimistic that Russia will stay out of the UK’s cyber space, but says it is prudent to plan for the possibility, nonetheless.
“We have no evidence that the Russian state intends to suborn Russian commercial products and services to cause damage to UK interests, but the absence of evidence is not evidence of absence,” says Ian Levy, technical director at the NCSC, in a recent blog. “In times of such uncertainty, the best approach is to make sure your systems are as resilient as you can reasonably make them.”
