For a two-week period in March 2022, 95% of the accounts that were opened at major U.S. banks were fraudulently created — many by Russian state hackers who were carrying out a denial-of-service attack of sorts in an attempt to block Ukrainian war refugees from transferring their money to American financial institutions, said Rachel Wilson, managing director and head of cybersecurity for Morgan Stanley’s Wealth Management division.
In the months prior, a normal fraud rate for actors signing up for accounts online with false or stolen identities would have been in the range of 30% to 40%, but that number spiked to 75% in February 2022 and then to 95% in March, Wilson recalled in an opening keynote address Monday at the InfoSec World conference in the Orlando, Florida, region.
Ordinarily, a lot of new account fraud in banks can be traced to cybercriminal operations in places like Ghana, Bangladesh or Sierra Leone as part of a scam to repeatedly steal $0.75 microdeposits that are made when accounts are linked, but this shocking increase was due to Russian meddling, said Wilson. And this was reflected in the sophistication of the actors.
“Now of a sudden, it's highly scripted. It's AI enabled. This is looking much more nation-state than it did three months prior,” said the former NSA senior cyber exploitation operations and counterterrorism official.
The lesson: “Some of the fraud you may be seeing is more geopolitical in nature than you might think,” Wilson warned.
She noted that Russian state actors are highly adept at camouflaging their behavior amongst day-to-day cybercriminal operations, including seemingly minor activity that victim organizations might deprioritize or even accept as a cost of doing business.
Wilson recalled an emergency Saturday-morning phone call that she received from a banking industry colleague when the fraud rate hit 95% as financial institutions were being flooded with a disruptive amount of fake account requests, presumably intended to impair legitimate activity.
"Basically, [we had] become a criminal element,” she said.
In response, banks temporarily deactivated the ability to open new accounts.
“This was not a financially motivated criminal attack. This was, make no mistake, a state-sponsored denial-of-service attack, intended to prevent the flow of capital out of Ukraine,” Wilson continued.
This anecdote is but one reason why Wilson cited Russian APT activity as one of her three top cybersecurity concerns for enterprises in 2023 — along with two other R-words: ransomware and resiliency.
“Anyone in this room who thinks that the Russians and Putin cyber army have been sitting on their hands for the last 18 months, the opposite is the case,” asserted Wilson, who said the Russians often hide their activity to avoid attribution and retaliation.
“They don't want that full frontal slap in the face against the United States in the West,” she said. “But instead, they're taking a ‘boil the frog’ approach, slowly turning up the heat against American industries in resulting in what I would argue has been a true bloodletting of American industries over the last 18 months.”
Russia also has the reputation of turning a blind eye toward — or even encouraging — rampant criminal ransomware operations that proliferate in and around its borders. With that said, however, ransomware actors are thriving everywhere — even inside the U.S.
“This is not the pop-up asking for $500 in iTunes gift cards anymore,” Wilson said. These days, “a hacker gets into your environment, figures out what you value most. That could be customer data, that could be employee data, that could be your proprietary information, your source code — whatever you would be willing to pay to have protected, to have restored. A hacker’s gonna steal that from you.”
Wilson also emphasized the triple extortion element of these attacks — as adversaries will not only encrypt the victim’s files, but also publish exfiltrated sensitive data and even attack again in the future if additional payments aren’t made.
Essentially, you have to agree to “mafia-style protection,” Wilson stated. In some cases, ransomware gangs will even offer to protect victims from other rival cybercriminal outfits as part of this ongoing so-called business relationship.
“This is the brave new world that we are living in, in 2023," said Wilson, who said she knows of many entities who have a monthly payment set up with an Eastern European hacking gang "to theoretically protect them" from rival outfits. "Twenty-five years in the cybersecurity space, I never thought we would get to this place.”
"Twenty-five years in the cybersecurity space, I never thought we would get to this place.”
To avoid finding oneself in these kind of sticky situations, it’s important to address Wilson’s third major concern: resilience.
“Most of the conversations I'm having with my leadership now are about how to maintain that reliability that our regulators expect, that our shareholders expect, and that our customers expect,” said Wilson. “And what does that mean? Well, of course, it means we’ve got to keep our systems up and running.”
On this front, Wilson’s underscored the importance of following key cyber hygiene practices, including: patching regularly and comprehensively, familiarizing yourself with and actively practicing your cyber crisis playbook, offering cybersecurity training to your employees, and backing up your data.
But “it’s not enough to simply have your data backed up,” Wilson noted. “All of us need to be religious about actually exercising that playbook and restoring from bare metal on a regular basis so that when… our bad day finds us, we know what we're doing.”