Cyber-attacks are twice more prevalent in Asia than the global average, and trade is right in the firing line. Finbarr Bermingham reports on a future that is already upon us.
In the thrilling TV drama Mr Robot, a group of renegade hacktivists work with a cast of anonymous accomplices to bring down the systems of one of the world’s largest multinational companies. Targeting E-Corp because it owns 70% of the global consumer credit industry, the protagonists aim to wipe the company’s entire receivables archive, leaving the company with no records, therefore no assets, and bringing thousands of consumers to the streets to celebrate what appears to be a world almost entirely free of debt. An imagined utopia for the average indebted consumer, but a worst-case scenario for any financial institution.
In May of this year, real-life hacking group Anonymous claimed to have taken down the systems of nine German, Greek and Cypriot banks in a month, in a call to arms against the “corrupt global banking cartel”. Mr Robot may not be real, but the best works of fiction are often those based on the imminent possibilities of the world we live in.
High-profile cases of cybercrime feature in the mainstream news with increasing regularity, but most go unreported. In many countries, banks are not even required to report them, so what we see is only the tip of the iceberg. Much of modern cybercrime seems new, but the motives are usually as old as mankind itself. After all, “if you want to steal a lot of money you go the place where they keep it all – the banks”.
Those are the words of Bryce Boland, the Asia Pacific CTO of FireEye, a cybersecurity firm that was hired by the central bank of Bangladesh to investigate an online theft of US$81mn in February. Boland declines to discuss that particular case, but says he has investigated other similar breaches in Asia in the months since, and that groups will continue targeting banks’ payments systems: the foundation of trade finance.
In the case of Bangladesh Bank, instructions to steal US$951mn were issued via Swift. Of this, US$101mn was withdrawn from an account held by the central bank at the Federal Reserve in New York. US$81mn was transferred to the Philippines and withdrawn, with US$20mn recovered by authorities in Sri Lanka. The other 30 transactions, worth US$850mn, were blocked by the Fed after an alert was triggered by Deutsche Bank, a routing bank, when hackers misspelled the word “foundation” as “fandation”.
Swift is integral to trade finance. The messaging system is used by more than 11,000 financial institutions in more than 200 jurisdictions. Swift itself was not breached, but malware was introduced to the Bangladesh bank systems which targeted the PDF reader used by employees. They were then able to gain access to Swift messages and to issue messages ordering the transfer of money. This attack may have been against a central bank, but it cut to the core of how trade finance departments work.
In May, Hanoi-based Tien Phong Bank was targeted in a US$1mn cyber heist that used the same technique as the hack in Bangladesh. Speaking to GTR at the time, a Swift spokesperson implied that the bank’s security had not been up to scratch. On that front, TP Bank is certainly not exceptional.
“In general, hackers have a tendency and practice to grab low-hanging fruit first,” says Scottie Hse, principal engineer and cybersecurity expert at the Hong Kong Applied Science and Technology Research Institute (Astri), which has worked with the Hong Kong Monetary Authority (HKMA) in developing solutions for countering cybercrime in the city. Often, that low-hanging fruit can be found in Asia.
Pivot to Asia
According to Boland, Asian organisations are twice as likely than the worldwide average to be targeted by a cyber-attack. He tells GTR that part of the problem is a culture of secrecy: few breaches are required to be reported, therefore banks don’t report them. Other banks are then unaware of the attacks and so the risk is downplayed.
Boland explains: “That lack of awareness also means there’s less financial incentive. Many organisations in Asia struggle to keep talent because the larger organisations in the US or Europe will pay big money for expertise. That makes it hard to retain local talent. That shortage of talent in cybersecurity is probably the biggest challenge facing the industry.”
While organisations are struggling to find resources to counter cyber-attacks, criminals are making hay on the other side of the fence. Disaffected professionals out of work since the 2008 global financial crisis are often employed by organised crime to carry attacks on payments systems, or to glean information to use in insider trading. And with the development of encrypted messaging tools and the dark web, the barriers to entry are becoming lower.
“What we’re seeing is organised criminals delivering cyber-attacks, rather than some cyber mastermind somehow pulling together a major money laundering operation. Things you need to be successful are available in forums online, services such as developing malware, tools for delivering malware, tools for testing the malware. You don’t necessarily need a lot of cyber expertise, but you need to have criminal intent. We don’t see Al Capone-like set-ups, mostly organised groups of people communicating using secure chat channels, taking a lot of steps to eliminate forensic evidence,” Boland says.
And with the prevalence of connected consumer technology, cloud-based services and the internet of things, entry to banks’ systems has never been easier. The increased use of smartphones has led to bring your own device (BYOD) policies in many workplaces, which blurs the line between personal and company information, threatens the security of customer information and raises concerns over confidentiality. In tech-obsessed Asia, where it’s thought that mobile users outnumber those with bank accounts, the possibilities for leakages are rife.
Shut the barn door
Within this environment, some Asian governments have been making positive noises, but they’re mostly playing catch-up. Xun Yang, an expert in fintech and cybersecurity who acts as of counsel for Simmons & Simmons in Shanghai, says there’s no harmonisation in data protection regimes around Asia Pacific, despite some countries acting to introduce reform.
“Customer data collected in various Asian countries are usually stored and processed in one centralised regional hub – usually located in Hong Kong, Singapore or India. However, there is no harmonised data protection and cybersecurity legal regime. National laws in different countries have different standards of cybersecurity and the strength levels of enforcing cybersecurity rules vary between countries too. As a result, data processed and information flowing across countries may need to reflect the requirements in high-standard regions and to compromise with the situation in low-standard regions,” he says.
China is said to have one of the most joined-up policies on cybersecurity (Xun notes the contradiction in Beijing’s long history of opposing personal privacy and its equally long history of protecting its own data). But this is enacted mainly to protect state security, rather than that of individuals.
Despite being praised for allowing an unofficial sandbox within which companies can trial cybersecurity measures, Chinese officialdom on the matter often throws the baby out with the bathwater. In August, a coalition of 46 business groups wrote a letter to Chinese Premier Li Keqiang asking him to reverse a proposal to rethink a proposed cybersecurity law which would require technology companies to show authorities how products work to store information within China. A separate ruling is in the works for the insurance industry, with the coalition claiming the ruling would be in contravention of WTO rules.
The difficulty for individual governments to act is obvious: there is no cross-border force on cybersecurity, while almost all cyber criminals act outside of official borders. Arguably, the removal of barriers to the trade of goods, services and currency have played into underworld hands. How possibly, then, could one go about tackling the problem of cybercrime in the post-sovereignty world of cryptocurrencies?
Tales from the crypt
“It started when we suffered an unexpected outage of our servers which took the trading platform offline. While we were working to restore services back to normal and determining the cause of the outage, the hackers gained access to our system and managed to steal ETH185,000 [ether, the cryptocurrency of Ethereum Blockchain] and BTC250 [bitcoin]. Negligence and miscommunication on behalf of our ex-CTO and another ex-engineer enabled the breach. A cybercrime investigation is still ongoing and we have yet to determine whether these former employees had other intentions for letting this happen.”
Aurélien Menant, CEO and co-founder of Gatecoin – a Hong Kong-based digital asset exchange – is telling GTR about a hack that took place in May and which was thought to have cost the company up to US$2mn. Digitisation is, most will agree, the most important trend in global trade. Combine this with the fact that digital currencies are obvious targets for hackers, and you have a perfect storm.
“Cryptocurrency exchanges are prime targets for hackers, as they store digital assets of significant value, and once stolen, these digital funds are easy to launder,” Menant explains. “If you look at the history of the cryptocurrency exchange space, you’ll find that almost all the major exchanges have been hacked at some point.”
He adds that exchanges are targeted daily and perhaps the small size of a cryptocurrency exchange compared to a major financial institution helps keep the attacks small and localised. Ironically for a digital platform, Menant says the attack was the result of human error and that if you have someone opening the door to the vault, “it doesn’t take an Ocean’s 11-type operation to exploit that opportunity”.
If the future of trade is digital, then the problem is only going to get bigger, and as the internet of things takes root in companies and banks, a whole new raft of risks is established.
“Consider the sheer number of hacked computers and smartphones today. Now imagine the consequences of connected doors, air conditioning units, water coolers, cars being hijacked by hackers and used to threaten and torture those working in the offices operating a financial institution,” Menant says.
Where cyber-attacks were once random shots in the dark, they are now highly co-ordinated, with entire enterprises targeted with massive spam campaigns that take months to plan.
FireEye has noticed the increased prevalence of ransomware, a recognition that the person that’s going to pay the most for the data you’ve stolen will often be the person you’ve stolen it from. “You don’t have to find a buyer, the buyer is already there, you just have to negotiate a price,” Boland says.
Companies and banks that want to digitise must become more sophisticated in their security operations in tandem with this, otherwise disaster awaits. Boland paints a picture of New York City after the back office of a market-making bank is taken out: a cashless society, people unable to access food or fuel, leading to an inevitable collapse in civilisation – “like a zombie apocalypse”. The walking dead aside, the worst-case scenario doesn’t seem all that far-fetched.