Not Your Average Cybercriminal: A Look at the Diverse Threats to the Financial Services Industry

In the second quarter of 2013, Mandiant observed different types of threat activity across 26 industries--both as part of incidents we responded to and through external sources. The financial services industry and media & entertainment companies topped the list of most targeted sectors:

Figure 1: Industries with Highest Number of Targeted Organizations in Q2 2013
Figure 1: Industries with Highest Number of Targeted Organizations in Q2 2013

After crunching the numbers, we weren't surprised that the financial services sector is still solidly in the crosshairs. Targeted financial companies included banks, payment processing companies, investment firms, and other organizations that manage financial transactions.

The culprits? Cybercriminals of varying skill levels, and, wait for it, Chinese advanced persistent threat (APT) actors! We suspect these Chinese APT actors are after financial services companies in order to understand their business processes for long-term economic and strategic advantage, instead of immediate financial gain. The types of information we observed the APT groups target and steal, which were indeed related to specific business and transaction procedures, support this assessment. China's expanding financial services sector and banking industry are both likely to benefit from stolen financial monitoring and transaction processing information.

On the cybercriminal side, we're also seeing tactics that look like more traditional APT behavior. Some cybercriminals are willing to spend the time doing network reconnaissance, installing backdoors, and moving laterally through a victim's environment to get what they want, rather than the typical "smash and grab" approach. In a recent Mandiant investigation, cybercriminals repeatedly accessed backdoors that they had placed in a victim's environment every 2-3 days. We believe these targeted cybercriminals have the resources to allow them to undertake more intensive-and potentially more damaging-operations.