Hackers silently entered the computer network of London-based banking software maker Finastra in mid-March, as the company was focused on developing emergency plans for operating amid the emerging Covid-19 coronavirus pandemic. Moving with precision and speed, they captured employee passwords and installed backdoors in dozens of servers in critical parts of Finastra’s network.
Although hardly a household name,
For three days, the attack went unnoticed. But the hackers’ activity on one of Finastra’s cloud servers set off a tripwire that alerted the company’s security team and triggered a destructive finale to the intrusion. On March 20, the hackers—apparently aware they were being hunted—began detonating a potent strain of ransomware called Ryuk.
As the malware quickly spread, locking up server after server, Finastra’s information security team evaluated its dwindling options before settling on the nuclear one: The company pulled all potentially infected servers offline. First, hundreds, then thousands, came down. The attack ground to a halt—as did critical parts of Finastra’s business. In an instant, services for many of Finastra’s customers went dark.
The inside story of Finastra’s breach—which Bloomberg Businessweek has reconstructed through dozens of internal documents provided by a person close to investigations conducted by Finastra and a security firm it hired—show the vulnerabilities companies are facing as they grapple with depleted resources and scattered workforces, as well as the increasingly aggressive hacking groups eager to exploit them. “We believe the attack came deliberately whilst we focused on moving the majority of our global workforce, including several thousands of our colleagues in the Americas, to safer work from home processes in light of COVID-19,” Chief Executive Officer
Finastra declined to comment on several specific questions about the hack, its response, and the subsequent investigations. “We retained control of our network through the action that we took in taking our servers offline, and our ability to resume operations in a relatively short space of time reflects that,” says a company spokesperson. The breach was previously reported by KrebsonSecurity.com, an investigative journalism site that focuses on cybercrime.
Ransomware is a type of malware that encrypts computer files and is often deployed through links in fraudulent emails—so-called phishing attempts. Once it gets into a computer network and begins locking up data, hackers demand a ransom in exchange for a decryption key. Ransomware attacks have been growing in recent years against all types of government agencies and businesses, including school districts, doctors’ offices, and multinational corporations. But the
Finastra had one advantage, though: It learned about the breach fast, after its security team was alerted to unusual activity on a Finastra server hosted in a Microsoft cloud, according to a detailed timeline of events prepared by investigators and reviewed by Bloomberg Businessweek. This was the tripwire that alerted Finastra that it had a bigger problem. The company found that the hackers had installed malware on dozens of critical servers known as domain controllers. That meant they had power over large banks of subordinate servers and the data on them, according to a spreadsheet of infected servers also prepared by investigators.
Finastra already suffered from poor cybersecurity hygiene in basic areas, including failures to fix known software security issues. These vulnerabilities helped the attackers spread quickly throughout the network once they were inside, the person familiar with the investigations says. Finastra’s information security team had recommended fixing those issues but was overruled by senior managers who were concerned the changes could cause disruptions in older applications, the person says.
Still, the early detection allowed Finastra to map the hackers’ movements before they began deploying the ransomware. This helped the company identify and isolate potentially infected servers and bring key services back online within days —the difference between a knockout and a black eye.
It couldn’t be determined how many financial institutions were impacted by Finastra’s service outages, or whether any sensitive data were stolen. According to the documents and the person familiar with the investigations, however, several of Finastra’s core businesses experienced outages, some of which lasted at least several days, including services that manage mortgage lending, student loan processing, and retail banking. Many community banks and credit unions that Finastra highlights on its website posted notices the day of the attack, and over the course of several days afterward, that their services were down because of a breach at a core banking-service provider, without naming Finastra.
Finastra’s hack may be a sign of things to come as coronavirus-induced lockdowns grind on, and hackers target companies that are already in crisis. But its response could also provide a model for deterrence. The company didn’t pay any ransom, according to the person familiar with Finastra’s internal investigations. It didn’t have to. Because Finastra decided to shut down essential services instead of paying up, it absorbed one kind of cost to avoid a potentially worse kind. The company scrubbed infected servers of malware when that was possible, and in cases where it couldn’t be removed, those servers were rebuilt entirely, using backup data—a complicated and time-consuming process. “Paying the ransom,” the person says, “just makes you a bigger target for next time.”
To contact the author of this story:
To contact the editor responsible for this story:
© 2020 Bloomberg L.P. All rights reserved. Used with permission.