by Yuriy Zakharchenko, Director of the Cybersecurity Department at KredoBank JSC
The full-scale Russian aggression against Ukraine has posed unique challenges for us. They include attacks on physical infrastructure, human resources issues, and a significant increase in cyberattacks. While we were prepared for some of these situations, others required more time for adaptation and stabilization.
During the early stages of the full-scale war, the key challenge was operating in an environment of uncertainty and the necessity for swift decision-making. No one understood the full extent of the military actions to come, and preparations had to be made for various possible scenarios.
KredoBank’s response to rocket attacks
One of the most challenging and unexpected issues we faced was the rocket attacks on our physical infrastructure, the power grid, and telecommunications. Unlike other companies, banks had limitations on using cloud services because, prior to the full-scale war, the National Bank of Ukraine prohibited storing customer data in the cloud. While many of Kredobank’s systems were already in the cloud long before the Covid-19 pandemic, these were not systems that handled our customers’ data. After the removal of this restriction, we swiftly created additional backup copies of our systems in the cloud. We continue to collaborate with major cloud service providers, and transitioning all of our systems to the cloud remains our top priority.
Nevertheless, even with the majority of our IT infrastructure hosted in the cloud, and our staff working remotely, ensuring dependable communication, stable power supply, and the necessary end-user devices for connectivity and work remains crucial. Addressing these factors is fundamental to the operations of the cybersecurity department and requires special attention.
Reflecting on the initial months of 2022, the situation unfolded at an extraordinary pace. Western corporations generously provided us with licenses and services free of charge. Due to the shortage of spare parts and new equipment, banks resorted to lending equipment among themselves. Our server room became a repository for servers from various other institutions and banks. We also established reliable backup communication channels and implemented satellite internet using acquired Starlink terminals, both for our main offices and Kredobank branches.
Adapting to cybersecurity demands
The effectiveness of the cybersecurity department also depends significantly on having a qualified workforce. With the onset of military operations, cyber risks significantly increased, leading many employers to actively expand their cybersecurity efforts and hire additional specialists. Consequently, there is an increasing shortage of qualified cybersecurity professionals in the Ukrainian job market. Our team has also encountered this challenge. Due to layoffs and mobilization, some team members were replaced with new hires. Here, we have benefited from established processes for swiftly redistributing responsibilities and bringing new specialists on board. Within the bank, we maximize process automation and personnel backup by training Junior-level specialists. Additionally, the ability to work remotely, which we and many companies worldwide had already embraced during the Covid era, eases the situation.
Despite these new challenges, the bank remains one of the most appealing destinations for launching a career in the cybersecurity field.
Safeguarding the digital fortress
In 2022, there was an increase in the number of cyberattacks, followed by a decrease since the beginning of 2023. Fortunately, Kredobank is not currently considered a critical infrastructure target by Russia and, as a result, is not included in the list of primary targets for cyberattacks by Russian groups. However, the most significant concern for us has been the attacks by the Russian hacktivist group NoName057(16) and their project, DDoSia Project.
“The primary attack vectors continue to be DDoS, scanning, and the exploitation of vulnerabilities on web resources, along with phishing.”
We also consistently observe a high volume of phishing attacks. Statistically, over 80% of these attacks are executed using public services. Geolocation is actively employed to bypass security systems and create customer profiles. Additionally, the use of messaging apps in phishing campaigns has increased significantly, with a particular focus on Telegram and Viber. The most common threats in phishing attacks include the theft of authentication credentials, the distribution of malicious software, and the exploitation of vulnerabilities.
Fortunately, the bank’s infrastructure has seen relatively few instances of malicious software infiltration. Among the discovered malicious software in the bank’s infrastructure, downloaders such as VBSTrojanDownloaders and various Trojan variants were the most common. Malicious software typically found its way into the infrastructure through email attachments in the form of archive files (zip, 7z).
However, we are constantly working on combating the most dangerous types of malicious software, including human-operated ransomware and destructive malware. Among potential intrusion vectors, our primary focus is on unmanaged devices and supply chain vulnerabilities.
Using the statistics accumulated in the bank’s Security Operations Centre, we attempted to merge kinetic attacks on Ukraine’s infrastructure and cyberattacks on the bank’s resources on a single timeline. We managed to plot a curve where the peak of cyberattacks coincided with the period of widespread missile attacks across Ukraine. While it is challenging to establish direct correlations, it can be inferred that preparations for cyberattacks were underway before the onset of military actions. This also affirms that active scanning and vulnerability research are continually conducted to orchestrate large-scale attacks. An increase in phishing attacks is preceded by an uptick in the detection of malicious software within the bank’s infrastructure.
At the same time, in certain areas, we continued the implementation of projects aimed at developing existing cybersecurity processes and systems, as well as introducing new ones. We strengthened our monitoring and collaboration with other organizations, forging closer relationships with our colleagues from CERT PKO Bank Polski.
“Throughout nearly two years of war, there have been no prolonged disruptions of processes or mass data leaks due to cyberattacks.”
Some past events that we once considered catastrophic, such as the NotPetya cyberattacks or the Covid pandemic, have contributed to our resilience and readiness for more complex challenges. There’s a saying: ‘What doesn’t kill us makes us stronger,’ and now we are more experienced and confident in our endeavors.
by Yuriy Zakharchenko, Director of the Cybersecurity Department at KredoBank JSC The full-scale Russian aggression against Ukraine has posed unique challenges for us. They include attacks on physical infrastructure, human resources issues, and a significant increase in cyberattacks. While we were prepared for some of these situations, others required more time for adaptation and stabilization. […]
https://itcluster.lviv.ua/wp-content/uploads/2024/02/kredo-bank-cover.png