Big Banks in Emerging Economies Are Suffering Crippling Cyber Attacks

Risks are also on the rise in advanced economies, as the Reserve Bank of Australia recently warned.  

The National Bank of Pakistan (NBP), Pakistan’s third largest lender, suffered a massive cyber attack on Friday that brought down its IT system. Major outages of this kind can cause huge challenges for consumers, including lack of access to money and services. The timing of the attack on NBP could not have been worse (or better from the hackers’ standpoint), coming just before November 1, when salary and pension payments are made to millions of current and former public workers. In a public statement NBP said:

“In the late hours of the 29th and early morning of the 30th October, a cyber-attack on NBP’s servers was detected which impacted some of its services. Immediate steps were taken to isolate the affected systems.” 

Pakistan’s central bank, the State Bank of Pakistan, said it is “monitoring the situation closely to ensure safety and soundness of the banking system”, adding that NBP has not observed any data breach or financial loss. NBP is one of three Domestic Systemically Important Banks. As an editorial in the Express Tribune, Pakistan’s only internationally affiliated newspaper, noted, this means it is “too big to fail” — “the entire national economy could collapse if something goes wrong at NBP.”

On Saturday, NBP said it was confident that essential banking services would be restored by Monday morning. That doesn’t appear to have happened. The Times of Islamabad reported Monday that millions of customers continued to suffer as the bank struggled to restore its IT system. Among the services still disrupted was the disbursement of payments and pensions for current and former public sector employees:

Credible sources within NBP have disclosed that the bank’s IT teams are working hard to restore its banking system ever since it went down but have failed miserably. They are reluctant to issue a deadline as to when the system will become completely operational once again.

Poor IT infrastructure has exposed Pakistani banks and the Federal Board of Revenue (FBR), a national law enforcement agency that investigates tax crimes, suspicious accumulation of wealth and money-laundering, to increasingly sophisticated cyber attacks. Those attacks have become more frequent since the Covid-induced lockdowns led to a surge in online transactions. Most worryingly, this is happening as banks, financial and government authorities are encouraging consumers to transition from cash to digital payment methods.

Pakistan wasn’t the only country to see a major bank’s IT system go down this past weekend. On Sunday, Mexico’s largest lender, BBVA, suffered its second Sunday outage in seven weeks. It is the third time the system has gone down this year. Once again, the bank’s 24 million customers were unable to use the bank’s ATMs, its mobile app or in-store payments. It being a Sunday, they could not even avail of the lender’s in-branch cash services. The latest outage lasted eight hours — significantly less than the 20 hour duration of the first outage, on September 12 — but still long enough to leave many of its customers seething. 

The bank blamed the earlier Sunday outage on an internal system update failure and was at pains to assure customers that their financial data was not compromised. For the moment the bank has not explained the reason(s) for its latest outage.

One major Latin American bank whose IT system was definitely brought down by hackers is Banco Pichincha, Ecuador’s largest private lender. The bank suffered a crippling cyber attack on the weekend of October 9-10 that disrupted many of its operations. Pichinchha shut down portions of its network to prevent the problems from spreading to other systems. The disruption lasted for a number of days, causing chaos for many of its customers. The bank insists that customer data was not compromised.

Although the bank has not revealed the exact nature of the attack, sources in the cyber security industry told Bleeping Computer that the disruption was the result of a ransomware attack with threat actors installing a Cobalt Strike beacon on the network:

Ransomware gangs and other threat actors commonly use Cobalt Strike to gain persistence and access to other systems on a network.

In February, Banco Pichincha suffered another cyberattack by cybercriminals known as ‘Hotarus Corp’ who claimed to have stolen files from the bank’s network. Pichincha disputed the hacker’s claims and said that one of their providers was breached instead.

“We know that there was unauthorized access to the systems of a provider that provides marketing services for the Pichincha Miles program,” Banco Pichincha said at the time. “In relation to this information leak, and based on an extensive investigation, we have found no evidence of damage or access to the Bank’s systems and, therefore, the security of our clients’ financial resources is not compromised.”

Another bank whose IT system was recently compromised is Venezuela’s biggest lender, Banco de Venezuela, whose 16 million customers had to endure five long days in September with no digital banking services. As I reported in “Banks Around World Are Suffering Big Outages, Leaving Millions of Customers in Lurch At Worst Possible Time“, the Maduro goverment laid the blame for the attack on the US government, which it accused of launching an “intense and aggressive” cyber attack against the bank’s IT system.

It’s not just emerging market banks that are suffering cyber attacks. One of New Zealand’s largest lenders, Kiwibank, and ANZ Bank, Australia’s third largest lender, have both suffered distributed denial-of-service (DDoS) attacks in recent months resulting in a spate of IT system outages. In a DDoS attack hackers inundate a website with so many bots connecting to it all at once, they render it inaccessible. Servers are not breached, data is not stolen but it can still cause lots of disruption.

The Covid era has also seen a high surge in high-profile ransomware attacks against companies, including US oil major Colonial Pipeline and Australian transportation and logistics company. As I reported in March, hackers targeted Spain’s employment service (SEPE) with a massive ransomware attack, which temporarily disrupted the disbursement of some unemployment and furlough payments. In a ransomware attack a hacker infects a computer, or computers, with malware that encrypts a victim’s files. The hacker then demands payment from the victim in order to restore access to the files.

“In the past 18 months, ransomware operations have become more frequent and profitable than ever,” says Stefano De Blasi, Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions. 

One reason for this is that their victims often tend to pay up. And the ransoms tend to be big. Colonial Pipeline paid a $4.4 million ransom payment to regain access to its files. Brenntag, a German chemical distribution company, allegedly paid the same amount after Darkside stole more than 150 GB of information. According to De Blasi, “cybercriminals often perceive organisations in the financial sector as wealthy and are thus incentivised to target them because of the potential of a high payout.”

The rising threat is also being driven by the increasing technological sophistication and capability of hackers. At the same time banks and companies’ IT systems have grown more vulnerable due to the explosion in use of electronic financial services during the pandemic and the rise in remote working by employees, whose home systems do not boast the cyber security defences of large corporate offices.     

The global banking industry experienced a whopping 1,318% year-on-year increase in ransomware attacks in the first half of 2021, according to a report by Trend Micro, an American-Japanese multinational cyber security software company. Banks are understandably worried, especially given that their customers are using less and less cash and are becoming more and more dependent on digital banking services.  

In the Bank of England’s Systemic Risk Survey cyber attacks were the most frequently cited cause of concern to UK banks. Respondents were asked to list the five risks they believed could have the biggest impact on the UK’s financial system. Cyber attacks were mentioned by 75% of respondents. By contrast, geopolitical risks were mentioned by 59% of respondents, risk from pandemics, 57%, and operation risks including climate change, 48%. That said, pandemic-related risks were more frequently cited as a respondent’s number one concern. Thirty-eight percent put it as their main risk, followed by cyber attacks (19%), inflation and UK political risk.

In its latest Financial Stability Review, released in early October, the Reserve Bank of Australia warned that a successful cyber attack on a major financial institution is all but inevitable:

“[Given] the very large number of attacks, it seems almost inevitable that at some point the defences of a significant financial institution will be breached.

“Whether such an attack could result in systemic financial instability will depend not only on the part of the financial institution or system impacted and potential network effects, but also the cyber resilience of that institution and financial system.”

Unfortunately, most banks in emerging economies cannot devote nearly as much money or resources to cyber defence as their peers in advanced economies, which makes them even more vulnerable to attack.