The Central Bank will check the readiness of banks for cyber threats under a new scenario

The Central Bank is going to check the activity of the information security systems of banks according to a new scenario. In previous years, the regulator gave advance warning of drills. This time he is going to conduct a surprise check by sending letters to bank employees with malware. Information security specialists talk about the risks that real attackers will join the exercises as a result.

In the third quarter, the Central Bank plans to conduct regular information security exercises in banks, follows from a letter from the regulator dated August 7 (Kommersant got acquainted with it). To do this, the Bank of Russia asks to send it at least 30 email addresses of employees, giving priority to those who do not work in the information security service (IS). “In order to create conditions close to reality, the participants will not be notified of the exact date of the cyber exercise,” writes the Central Bank.

According to the scenario described in the appendix to the document, bank employees whose emails are sent to the Central Bank will receive letters with malicious software (VPO) attached. After the file is opened, an “outgoing connection from the compromised workstation to the command and control server” occurs. After analyzing the incident, the bank must send information about it to FinCERT (a division of the Central Bank that issues recommendations on countering risks).

The exercises have been held since 2020 (for example, last year the Central Bank checked banks, including for the security of domestic software analogues), but this scenario is used for the first time. Previously, the regulator warned banks about “negative developments”, they launched response mechanisms that the Central Bank controlled, and then summed up.

Experts note that cyber exercises are useful in principle. “The result of the exercise can be either the opening of a file with malware (with subsequent analysis of the incident), or the refusal of a bank employee to open a suspicious file. This is an important metric, since the number of open letters can be used to judge the awareness of the organization’s employees about the rules of cyber hygiene,” says Daria Verestnikova, Commercial Director of SafeTech.

Alexander Moiseev, a leading information security consultant at Aktiv Consulting, adds that the scenarios are aimed at training to counter targeted (targeted) computer attacks, the methods and tools of which are rather poorly detected by conditional anti-virus protection tools, since the attackers use techniques to bypass them.

The bankers are not officially worried. So, in the ICB and Gazprombank they note that they have been participating in exercises for several years and have means of protection, in particular, for e-mails.

At the same time, information security specialists warn about the risks of the proposed scenario. The letter sent to banks is not stamped, as a result of which it is actively discussed in professional chats and among specialists, which can be used by attackers, notes the interlocutor of Kommersant from among industry representatives. At the same time, banks will not be notified when a letter from the Central Bank arrives and how it will look. But they will wait for it at specific addresses, which can be used by attackers who are aware of the exercises.

When one of the specialists notices suspicious activity and decides to warn colleagues that the distribution from the Central Bank has begun, the attackers can join the process and start sending their malware, as a result, the information security services can miss the real attack, the interlocutor of Kommersant explains.

However, the manager of the RTM Group, Evgeny Tsarev, believes that it is unlikely that the email addresses of employees will be chosen randomly, and they will not tell the recipients anything. Even if these are real addresses of employees, they will definitely be warned that there will be a mailing list. It is also possible that the system administrator will simply create 30 accounts for this activity that do not belong to real workers, just to conduct “exemplary” exercises. The mailing will take place, it will be seen that the messages are delivered, but they will not be opened, he explains.

At the same time, the Central Bank notes that early disclosure of information about specific activities provided for by cyber exercises will not allow obtaining an objective and reliable result. However, the regulator promises not to apply supervisory response measures to participants in cyber exercises.

Julia Poslavskaya