On Monday, KELA’s security team published a report examining the cybersecurity issues and attacks that surfaced in 2021 and early 2022, specifically focused on the United Kingdom’s banks and other financial services.
The UK was one of the first countries to stand with Ukraine after the invasion by Russia. This could make UK organizations a tempting target for threat actors siding with Russia – whether by state-sponsored advanced persistent threat (APT) groups or hacktivists. The National Cyber Security Centre (NCSC) previously warned businesses to shore up their cybersecurity following Russia’s assault.
APTs are often responsible for attacking the financial sector: account credentials, card numbers, and the personally identifiable information (PII) of customers are useful not only in social engineering and identity theft but also to make fraudulent purchases or for card cloning.
APTs target organizations worldwide, and those located in the UK are no exception. Over the past few years, APTs, including the Chinese APT40 and APT31, have utilized vulnerabilities, including ProxyLogon, to compromise UK businesses.
“In general, APTs may target the financial sector to commit fraud, burglarize ATMs, execute transactions, and penetrate organizations’ internal financial systems,” KELA says. “Although specific threats to the UK financial sector have not been identified, there is no doubt that the UK has occasionally been a target of APT groups during 2021.”
Exposed corporate information and leaked credentials are also of note. After browsing Dark Web forums, the researchers found that UK data is “in demand” by cybercriminals who are seeking PII, access credentials, and internal data.
For example, in January 2021, an ExploitIn forum user asked for a “UK database leak.” On the same Russian forum, another requested “UK targeted bank leads with DOB, full name, bank name/sort code, address and postal code […] DOB has to be between 1935 and 1955” this year.
From January 2021 to February 2022, KELA tracked close to 16,000 unique, leaked credentials linked to UK financial organizations which appeared online. This includes information leaked during the RedCappi, ParkMobile, and Oxfam breaches.
However, no UK organizations took a top spot in the 14 breaches during 2021 - 2022 with the highest number of leaked credentials. Instead, many of them were based in India.
“As the UK plays a significant role in the global economy, often providing services to international companies and organizations, it is likely that breaches related to foreign companies would affect UK firms,” the researchers said.
The sale of network access, while not as common, is also a threat to the UK financial sector. KELA found roughly 60 instances of network access listings, including one for a UK fintech firm with $5 million in annual revenue, offered for only $300, and a prolific Russian trader touting access to UK companies 13 times in the past year.
Ransomware also remains a plague for UK financial organizations and services worldwide. The cybersecurity firm observed 135 UK financial companies experiencing a ransomware incident in 2021. However, this may only be a fraction of the true number as these organizations have only been identified due to ransomware blog and leak sites, negotiation portals, and media reports.
When it came to targeting UK companies, the Conti, PYSA, LockBit, and Sodinokibi ransomware groups were the most active.
“This report sheds light on the multiple, varying cyberthreats posed to UK companies and organizations in general, and the UK financial sector in particular,” the researchers noted. “Through 2021, both financial and other UK companies have been subject to multiple ransomware attacks, and credentials and compromised accounts belonging to British entities were often offered for sale on cybercrime forums.”
See also
Ransomware as a service: negotiators between hackers and victims are now in high demandThis is the perfect ransomware victim, according to cybercriminalsFranchises, partnerships emerge in Ransomware-as-a-Service operations
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0