The Hafnium Attack: evolving risk of cyber-attacks for the finance sector

Recently email servers of the European Banking Authority (EBA) were compromised as part of a zero-day exploit cyber-attack. We recently warned of the similar risks posed by wholesale cyber-attacks—attacks on service providers that affect large numbers of organizations at the same time, following significant disruption to the US Government and several companies in connection with the SolarWinds attacks. We consider the EBA zero-day attack and address ongoing challenges in this area.

The Hafnium Attack

On 2 March 2021, Microsoft announced that a Chinese state-sponsored actor known as “Hafnium” had exploited vulnerabilities in the Microsoft Exchange Server email platform to control and access private data from a number of entities in the US and worldwide. On 7 March 2021, the EBA announced in turn that it was one of the victims. The EBA confirmed that attackers may have gained access to personal data, but the full extent of the hack is still unclear. Current estimates are that tens of thousands of firms were affected.

The attack again illustrates the ever-increasing risk of cyber-attacks. The zero-day exploit saw Hafnium target vulnerabilities in the Microsoft software that many companies use for their on-premises systems, and then attack thousands of customers in a separate-but-coordinated way.  It appears to developed intoa free-for-all, with criminal groups taking advantage of the attack.

The incident follows the recent “wholesale” attack against systemic providers of software or security, whose broad customer base offers hackers access to a wide range of private data and potential to cause maximum disruption globally. As regulators have warned, the finance sector is a prime target for actors who seek to cause disruption to multiple entities by targeting important institutions to threaten cyber resilience.

Collateral Risks

Even where financial institutions are not direct targets of attacks, they may be exposed due to outsourcing and/or third-party arrangements with other systemic service providers. Organizations are increasingly expected to account for third-party risk as part of their data governance practices. Recent regulatory guidance on third-party risk management includes the UK Prudential Regulation Authority’s (PRA) outsourcing and third party risk management consultation and the discussion paper published by the Financial Stability Board and updates to guidance on third-party relationships from the Office of the Comptroller of the Currency. In practice, effective allocation of risk and liability with third-party vendors can be difficult to negotiate.

What to do? 

• Be prepared: With a 1400% increase in cyber-attacks in recent years, regulated financial services firms should prepare for attacks that are an inevitable part of business. Firms should closely monitor responses to this attack by Microsoft and government bodies, and to account for risk exposure both from regulatory agencies and litigation. Microsoft has released security updates to apply immediately, which will reduce the risk of further intrusions. Regulatory attention in this area is likely to become even more of a priority since last year’s proposals by the UK’s regulators, the EU Commission seeking to tackle these evolving risks and US federal banking regulators have joined the growing regulatory response to operational resilience, including protection from cyber-attacks. We have explored these developments as we expect the FCA and PRA announcing their final proposals to ensure operational resilience during the course of 2021. Bad things can happen to organizations with effective cyber resilience, and so maintaining appropriate records of the steps taken to assess and improve cyber resilience is critical – in the context of both regulatory enforcement action and litigation. 
• Repairing the damage: In a statement on Twitter, the National Security Council noted that “Patching and mitigation is not remediation if the servers have already been compromised”. US officials have warned that the attack remains an “active threat,” and Microsoft is working closely with the US Cybersecurity & Infrastructure Security Agency (CISA), which has already released and continues to update guidance to mitigate Microsoft Exchange Server vulnerabilities. Firms should explore if they have been affected and in turn tack measures to patch vulnerabilities and mitigate any damage.
• Follow the guidance: the FSB has offered practical guidance on managing outsourcing and third party risk, which we have recently discussed. We have also provided guidance on managing the proliferation of regulatory guidelines and requirements, which  represent a major compliance exercise. Several other regulatory resources are also available, including:
  • CISA’s current Cyber Resilience Review Assessment
  • The US National Security Agency’s list of cybersecurity advisories and technical guidance
  • The UK National Cyber Security Centre’s Cyber Assessment Framework
  • The UK FCA’s “Cyber security – industry insights”

We will continue to offer guidance during 2021 and beyond on the changing landscape in this area; keep an eye on our newsletters and blogs for further updates.