Column by Maxim Builov about the not-too-sudden cyber exercises of the Central Bank

The Central Bank’s cyber exercises, which the information security departments of banks had been awaiting with some trepidation for more than a month (see Kommersant on August 10), began this week. There is nothing unusual in the fact of such events – they have been held regularly since 2020. The Bank of Russia launched an audit of the protection of credit institutions from certain threats, market participants organized counteraction, and the regulator controlled the process and summed up the results.

But this time the Central Bank approached the event creatively. Banks were required to send in advance 30 email addresses of their employees and preferably not IS specialists. In response, emails with malicious software (malware) attached will be sent to these addresses. According to the exercise scenario, employees of credit institutions will have to open letters, and after that, information security specialists will step in and begin to fight the “malware.” The results obtained must be reported to the regulator.

As the Central Bank explained, “to create conditions close to reality,” the start date of the cyber exercises is not disclosed. However, specialized TG channels are already actively discussing cyber exercises. Thus, some market participants discovered that emails with malware were successfully filtered out by their security system. As a result, banks risk not taking part in cyber exercises, for which, as they logically assume, they will be punished by the Central Bank. So information security employees are actively combing spam folders to fish out cyber packages from the regulator.

But even a found letter with malware from the Bank of Russia does not guarantee full participation in cyber exercises, since standard security measures often block the opening of suspicious links, which is not supposed to be done according to the scenario. According to the Central Bank’s plan, a bank employee must open the first link, describe the incident, receive recommendations from FinCERT and, taking them into account, block the malware when sent again. And the script does not provide for independent blocking of the first link to malware, and therefore is punishable.

There is one more subtlety – “to create conditions close to reality,” the Central Bank does not label letters with malware. This means that the risk of receiving a letter with malware from real scammers increases significantly, and it is necessary to fight them for real, at the risk of losing money or confidential information.

However, there were also versions that some participants in the exercises would generate 30 new mailboxes specifically for this task. Then the probability of receiving a real phishing letter will be minimal, not a single letter from the Central Bank will be lost and will be processed in the best possible way. It turns out to be a kind of digitalization of the Potemkin village – the banks strictly follow the script, and the regulator reports that everything is under control.