What has your cybersecurity team learned from the war in Ukraine and cyberattacks on infrastructure that carries lessons for banks and banking customers in the United States?

We work daily with private and public partners to understand cyberthreats, including those resulting from Russia’s war in Ukraine. At the beginning of the war, it was hectic. We used historical context to consider how Russia was likely to attack, based on the cyberattacks the country launched before it invaded Georgia in 2008. In Ukraine, we expected but didn’t see the same results. Russia targeted Ukraine’s telecommunications and electric infrastructure but was less successful. There were large pockets without service, but Ukraine was able to stand it back up pretty quickly. We also saw significant international support from private and publicly traded companies to help keep Ukraine’s population receiving both internet and cell phone services. Typically, war is seen as government organizations against each other, so this was a newer development.

Overall, we’re still seeing most Russian interference and targeting in Europe, but it has shifted some to harassment-style attacks in the United States. Originally, we were not seeing much targeting of US operations. Adversaries are increasing their attacks, using new tactics we’re seeing following the war in Ukraine, and they’re getting further into networks than we would have expected six months to a year ago.

The lesson learned is that everything is interconnected nowadays. We learned this in 2017, when an actor later confirmed by US sources to be Russian attacked Ukraine with NotPetya, malware that spread massively across banks, ministries, newspapers, and shipping agents. The attack showed how quickly these things can spread: In a weekend it was almost everywhere, though not really in the United States because of updates and security controls. Still, the attack keyed us into the depth of connections that weren’t necessarily obvious that reside in systems.

Banking systems are tied to the power grid, the internet, and telecommunications. If someone targets a large bank that is a critical supplier of downstream transactions and the bank goes offline, how many small banks go offline? That’s where you see effects for the regular person: your bank can’t tell you your balance, you can’t use ATMs and online banking, and you can’t pay your mortgage and car loans. Even smaller attacks that may not have big impact on infrastructure can create many issues.

The Federal Reserve’s Cybersecurity Analytics Support Team see all these pieces, and we try to prevent incidents and large-scale impacts. We are trying to understand the interconnected nature of these incidents, but we don’t know where all of the connections reside within private industry. The Federal Reserve’s Cybersecurity Analytics Support Team works with policymakers, federal regulators, bank security experts, industry leaders, and others who are trying to develop strategies in this area, but everyone has to implement security at their own level. I can’t tell a bank what their best processes are; instead, they have to do risk analysis and understand what they’re trying to protect. Security and depth are essential. You can’t operate without multiple layers of security that surround your environment and ensure it’s really difficult to get into. Inside a network, segmentation, or separation of information, is key. That way, if an actor successfully hacks a customer account, the criminal might not gain access to the system’s backend.

Banking customers can’t do a lot about how a bank is tied to other banks or how the interconnectedness operates. Attackers are always evolving, and they use people’s lack of knowledge to exploit their vulnerabilities. The best we can do is make ourselves cyber aware. Don’t click on random links. Change passwords and use different, longer passwords. A 38-character password that’s a sentence is more secure and takes infinitely longer to break than a short, complex password. Be smart about internet use, and be wary of users who call or text, requesting personal information.