War in Iran Stokes Cybersecurity Threat

With the ongoing conflict in the Middle East, banks are facing heightened cybersecurity concerns, their no. 1 risk concern on an average day. 

It’s normal for there to be an increase in cyberattacks when there are geopolitical events happening around the world. State-sponsored bad actors and hactivists sympathetic to their causes try to disrupt critical infrastructure at adversaries. Banks are usually included in these attacks given their critical role in society. 

But this time the cyberattacks are likely to be more sophisticated given that bad actors can utilize artificial intelligence in their schemes. 

“It is a bigger deal than it is getting credit for,” says Steve Sanders, chief risk officer at CSI, a provider of banking and risk management solutions. “It’s not really something that is routine, and we have elevated to a new level of risk.” 

From Feb. 28 — the date that the U.S. and Israel first struck Iran — to March 2, there have been 149 confirmed distributed denial-of-service (DDoS) attacks across 110 organizations in 16 countries, Sanders says. In a DDoS attack, a bad actor tries to overwhelm the target’s operations by flooding it with internet traffic. 

Bad actors are likely to directly target the largest banks, such as JPMorgan Chase & Co., Bank of America Corp. and Wells Fargo & Co., because a successful attack against one of these institutions could have much wider ramifications. 

There’s precedent for these concerns. In September 2012, some of the nation’s largest banks faced a sustained DDoS attack. A group with ties to Iran took credit for the incident. It’s believed that the motivation was to protest sanctions the U.S. had imposed against the regime. The result was customers struggled to access their bank accounts online. Eventually, the attack expanded, and dozens of institutions were affected. “The larger banks need to be more concerned about economic disruption and geopolitical signaling,” Sanders adds. “If the large banks take a large enough hit, there is a systemic contagion that affects every bank.” 

However, smaller banks still need to be concerned. Bad actors could view them as easier targets with less sophisticated defenses. “It can also be simpler to go after a smaller organization,” says Billy McDiarmid, vice president of customer engineering at Red Sift, a cybersecurity firm. “They aren’t aware of all of the defenses available to them, or it could be easier to get through to someone through social engineering through a phone call or an email.” 

Bad actors may also target third-party vendors and data centers, says John Meyer, a managing director who leads the business intelligence and data analytics practice at Cornerstone Advisors. A successful attack against a technology provider could affect hundreds of banks all at once. Meyer previously worked at a banking tech vendor he didn’t want to name — the company has subsequently been acquired by another firm. After the U.S. placed sanctions against Iran in 2011, that company experienced an attack where it received 200,000 emails a second. “It was brilliant,” he adds. “It made digital banking slow for the bank customers and credit union members, but it also affected our ability to send out alerts. If you had set your digital banking to alert you if your account fell below a certain amount, then that got gummed up. That was an interesting attack vector.” 

DDoS attacks are probably the most likely cyber threat banks are facing right now, experts say. “They want to overwhelm the system and prevent the bank from doing business,” says Brian McGinnis, co-chair of the data security and privacy practice group at the law firm Barnes & Thornburg. “If they have an opportunity to steal money, they would, but that might be less frequent than a cyberattack designed to disrupt networks.” 

Banks should also be on the lookout for wiper attacks disguised as ransomware attacks. Under this scenario, the bad actor has installed malware on the bank’s system that locks its data. The bank then pays a ransom for its release, which is a routine ransomware incident. However, in a wiper attack, after the ransom is paid, the bad actor will delete the target’s data. Historically, Iran has been behind a disproportionate number of wiper attacks, McGinnis says. 

Finally, phishing and spear phishing campaigns are likely to ramp up targeting bank employees to steal their login credentials, Meyer says. In particular, bad actors might send fake 314(b) requests to institutions — which is the section under the USA Patriot Act that allows financial institutions to share with one another and the federal government information about activities suspected to involve money laundering and terrorism. Essentially, they could try to use the heightened security and awareness to their advantage. “It is a very common bank-to-bank communique,” he adds. “They will try to get someone from the [Bank Secrecy Act] department to click the link.” 

AI has the potential of making these cybersecurity attacks more effective, experts warn. For instance, criminals can take publicly available blog posts written by the bank’s CEO and use that to train generative AI to write a more authentic sounding phishing email, McDiarmid says. “AI is making it easier for bad actors to carry out these attacks. It’s lowering the barrier,” he adds. 

To protect the bank, board members should check in with their management teams to see how they are responding to the current heightened situation. Management should review the bank’s incident response plans. That way if something does happen, they would be ready, McGinnis says. “What are we doing to account for this higher level of risk? That would be my first question,” he adds. “If the answer is nothing, then do we need to add in additional measures or be on the lookout for new attacks from Iran or others?”

Banks should decide if they need to implement any additional security monitoring right now, potentially from a third-party vendor. And if the bank isn’t currently using more common protocols, such as domain-based message authentication reporting and conformance (DMARC), they may want to consider it. DMARC can help prevent bad actors from spoofing a company’s email address and thus stop phishing scams and more. But not every community bank uses this, McDiarmid says. 

Reviewing the bank’s cyber defenses should include reaching out to third-party vendors to make sure they are being vigilant as well. “You need to hold your vendors accountable. If there is a DDoS attack, what is their plan?” says Meyer, who noted that at his previous job with a tech vendor the company would purchase bandwidth on demand if necessary and used technology to help filter out nefarious traffic.

Finally, banks need to be cautious when reading news reports about possible cyberattacks in the U.S. and abroad. In addition to cyber warfare, there is also a misinformation campaign being waged where Iran and its allies will try to portray the regime as being stronger than it currently is. For instance, there could be a breach where some real data is released but hackers could also include fake information to make the breach seem larger. Social media accounts run by the Iranian government or their sympathizers are likely to try and amplify this. 

“We need to keep in mind that the best tool Iran uses is generating panic,” Sanders says. “They want to do something that magnifies the panic. Sometimes legitimate looking social media accounts are hackers.”