When hackers silently forced their way into the computer network Finastra in mid-March, the company was focused on developing emergency plans for operating amid the emerging COVID-19 coronavirus pandemic. Moving with precision and speed, they captured employee passwords and installed backdoors in dozens of servers in critical parts of Finastra’s network.
Although hardly a household name, Finastra Group Holdings is an essential part of the global financial system, its software and services running everything from banks’ websites to the back-office systems they use to manage their own money. Its more than 8,500 customers include 90 of the world’s 100 largest banks.
For three days, the attack went unnoticed. But the hackers’ activity on one of Finastra’s cloud servers set off a tripwire that alerted the company’s security team and triggered a destructive finale to the intrusion. On March 20, the hackers – apparently aware they were being hunted – began detonating a potent strain of ransomware called Ryuk.
As the malware quickly spread, locking up server after server, Finastra’s information security team evaluated its dwindling options before settling on the nuclear one: The company pulled all potentially infected servers offline. First, hundreds, then thousands, came down. The attack ground to a halt – as did critical parts of Finastra’s business. In an instant, services for many of Finastra’s customers went dark.
The inside story of Finastra’s breach – which Bloomberg Businessweek reconstructed through dozens of internal documents provided by a person close to investigations conducted by Finastra and a security firm it hired – show the vulnerabilities companies are facing as they grapple with depleted resources and scattered workforces, as well as the increasingly aggressive hacking groups eager to exploit them.
“We believe the attack came deliberately whilst we focused on moving the majority of our global workforce, including several thousands of our colleagues in the Americas, to safer work from home processes in light of COVID-19,” says Simon Paris, Chief Executive Officer, Finastra.
Finastra declined to comment on several specific questions about the hack, its response, and the subsequent investigations. “We retained control of our network through the action that we took in taking our servers offline, and our ability to resume operations in a relatively short space of time reflects that,” says a company spokesperson. The breach was previously reported by KrebsonSecurity.com, an investigative journalism site that focuses on cybercrime.
Ransomware attacks have been growing in recent years against all types of government agencies and businesses, including school districts, doctors’ offices, and multinational corporations. But the COVID-19 pandemic has presented hackers with a once-in-a-generation opportunity to strike vulnerable targets as entire offices are working from home and information-technology staff are stretched thin. The Ryuk strain of ransomware was created by a Russian organised crime ring that cybersecurity researchers have dubbed Wizard Spider.
Eric Friedberg, co-president of Aon Plc’s Stroz Friedberg incident response firm, which wasn’t involved in the Finastra incident, says that since January, the time between attackers gaining access to a network and deploying ransomware has dropped from weeks or months to from 2 to 10 days. He says the accelerated pace has slashed the time victims have to detect intrusions and decide how to respond, maximising the hackers’ leverage.
Finastra had one advantage, though: It learned about the breach fast, after its security team was alerted to unusual activity on a Finastra server hosted in a Microsoft cloud, according to a detailed timeline of events prepared by investigators. This was the tripwire that alerted Finastra that it had a bigger problem. The company found that the hackers had installed malware on dozens of critical servers known as domain controllers. That meant they had power over large banks of subordinate servers and the data on them, according to a spreadsheet of infected servers also prepared by investigators.
Finastra already suffered from poor cybersecurity hygiene in basic areas, including failures to fix known software security issues. These vulnerabilities helped the attackers spread quickly throughout the network once they were inside, the person familiar with the investigations says. Finastra’s information security team had recommended fixing those issues but was overruled by senior managers who were concerned the changes could cause disruptions in older applications, the person says.
Still, the early detection allowed Finastra to map the hackers’ movements before they began deploying the ransomware. This helped the company identify and isolate potentially infected servers and bring key services back online within days – the difference between a knockout and a black eye.
It couldn’t be determined how many financial institutions were impacted by Finastra’s service outages, or whether any sensitive data were stolen. According to the documents and the person familiar with the investigations, however, several of Finastra’s core businesses experienced outages, some of which lasted at least several days, including services that manage mortgage lending, student loan processing, and retail banking.
Many community banks and credit unions that Finastra highlights on its website posted notices the day of the attack, and over the course of several days afterward, that their services were down because of a breach at a core banking-service provider, without naming Finastra.
Horicon Bank, a network of community banks in Wisconsin, said it was one of “hundreds” of financial institutions impacted in the US by the incident. Lea County State Bank, a community bank in Hobbs, N.M., also said it was affected. Some customers wrote on the bank’s Facebook page that they were unable to access their accounts.
“With all this coronavirus horror this is the last thing that needs to be happening to us,” one customer wrote online. Both banks several days later posted that their online banking and bill-pay services were restored. Representatives of the banks didn’t return messages seeking comment.
Finastra’s hack may be a sign of things to come as coronavirus-induced lockdowns grind on, and hackers target companies that are already in crisis. But its response could also provide a model for deterrence.
The company didn’t pay any ransom, according to the person familiar with Finastra’s internal investigations. It didn’t have to. Because Finastra decided to shut down essential services instead of paying up, it absorbed one kind of cost to avoid a potentially worse kind.
The company scrubbed infected servers of malware when that was possible, and in cases where it couldn’t be removed, those servers were rebuilt entirely, using backup data – a complicated and time-consuming process. “Paying the ransom,” the person says, “just makes you a bigger target for next time.”
Fortune favours the brave!