Factors Influencing the Likelihood of a Systemically Significant Cyber Attack on Western European Financial Services

At different times, different factors have been key to Russian success in Ukraine, and these factors have had an impact on Russian activities / targeting. For example:

• Ukrainian battlefield capability --> Evolution of Russian battlefield strategy (inc. ‘meat grinder’, drone supremacy, etc).
• Ukrainian popular support for the war --> Aerial bombardment of civilian population centres and CNI in Ukraine.
• European popular support for the war --> Reduction in energy supplies to Europe.

A new factor has recently come to the fore as by far the most significant factor in deciding the outcome of the war - the availability of financial aid for Ukraine. Both major aid providers (the US and the EU) have suffered significant setbacks in their attempts to ensure funding for the Ukrainian state. Two significant approaches are currently being considered to enable continued funding, as follows:

• In the EU, moves are afoot to circumvent the Hungarian veto on aid to Ukraine by increasing borrowing and lending funds to Ukraine – a mechanism which Hungary cannot veto.
• The funding shortage has renewed efforts to use USD 300bn of confiscated Russian assets to fund the Ukrainian war effort. Much of this money is currently held by European financial institutions.

Disrupting either or both of these efforts is likely to be a major strategic objective for Russia. At the very least, this means that Russian Intelligence apparatus, both cyber and conventional, will be collecting intelligence on these themes, including through targeting the financial sector. An additional possibility is cyber-enabled sabotage against key entities engaged in these funding mechanisms. We have already seen some targeting of the European Central Bank (ECB) and the European Bank of Reconstruction and Development (EBRD) from pro-Russian hacktivist groups, albeit ineffective due to the limited capability of the actors.

Concurrently, Ukraine has recently claimed responsibility for two cyber attacks, both of which have had some degree of systemic impact on the Russian financial system, as follows:

• On 13 December, Ukraine’s Defence Intelligence Directorate (GUR) claimed responsibility for an attack on the Russian Federal Taxation Service (FTS), stating that the organisation’s central server as well as 2,300 regional servers had been wiped, along with back-ups.
• On 27 December, the Ministry of Digital Transformation of Ukraine claimed that the IT Army of Ukraine (a hacktivist group co-ordinated by the Ukrainian state) had disrupted the operations of 1C-Rarus, a large Russian Enterprise Resource Planning (ERP) software provider. As 1C-Rarus is used in some accounting and payments systems, the attack is reported to have disrupted (for example) fuel payments at petrol stations and disrupted other business transactions.

The real-world impact of these attacks is far from clear, and it is possible, if not likely, that Ukraine is overstating their impact. They are, however, clear acts of cyber enabled sabotage, undertaken as part of an asymmetric warfare campaign, likely designed to inflict systemic damage on Russia’s financial system. Whilst cyber sabotage as part of asymmetric warfare is not new, the Ukrainian state’s ‘self-attribution’ of these attacks is likely unprecedented.

The question as to whether these attacks ‘lower the threshold’ for targeting of financial infrastructure as part of asymmetric warfare is very much open to question. On the one hand, Russia has not previously needed any encouragement to engage in cyber-enabled sabotage – the targeting of the Georgian Power Grid in 2015, for example – albeit under a thin pretext of deniability. On the other hand, Russia can now point to these overt acts, and claim that any similar action that it undertakes is justified retaliation. Given the context around EU and US financial support for Ukraine, it is plausible that Western financial institutions could be targeted in this way.

The two factors above (likely increase in Russian focus on Western financial entities and a lowering of the threshold for cyber-enabled sabotage against financial targets) would suggest some degree in increase in threat. There are, however, some factors which go some way to mitigating this threat. The most significant factor is an assessed reluctance by Russia to escalate in this way, at this time. A systemically significant attack on financial infrastructure outside of the Ukraine would be a major escalation, even in light of the Ukrainian attacks. Given questions around the long-term funding for Ukraine, such a move is unlikely to be in Russia’s strategic interests at the moment.

Therefore – as ever – the threat landscape remains nuanced, and – for the time being – SecAlliance’s evaluation of the threat of cyber-enabled sabotage targeting the European financial sector remains unchanged at ‘Elevated’. Close monitoring and constant re-evaluation of our assessment continues.