Saturday, October 28, 2023

Inside the secret Accenture team trying to hack the banks


Inside the secret Accenture team trying to hack the banks

Jason Ford and his “red teams” have been breaking into banks by fooling workers with the latest psychological tricks targeting the human foibles that leave IT defences vulnerable.
In June, Jason Ford received a call from the Australian Federal Police. They wanted to know why his credit card had been used to send packages to an Australian bank. The lender’s security team had called the authorities when they discovered this was an attempt to break into its computer systems.
Ford had stuffed gift boxes with brown shredded paper and a letter congratulating several staff members for their good work. The note was purportedly from Workhuman, an international company that provides software for human resources teams.

“Hey Justin, Great news,” read one of the letters, dated June 8 this year. “Your hard work in your role as a Senior Transformation Manager has been recognised by our friends at [your bank] and they’ve asked us to send over a little special something just for you”.
Along with the letter, the box contained a gold gift card and a silver thumb drive. Ford had hoped Justin would stick the drive into his work laptop.
Mimicking a technique used by the notorious criminal hacking group FIN7, Ford had preprogrammed a microcontroller inside the thumb drive that was designed to trick the bank’s computers into thinking it was a keyboard. This would bypass the USB storage blocking controls.
Once plugged in, the fake keyboard would execute a malware file within five seconds, giving Ford remote access to the device – and, potentially, the bank’s whole network.
Fortunately for this bank, the box never made it to Justin. Rather, it was intercepted by the mail room, which considered it suspicious – because nine other staff members had received similar packages.
It was the bank’s IT security team that ended up inserting the drive into an isolated “sandbox” system, after being called in by the mailroom manager. For a moment, Ford thought he’d been successful infecting the bank’s machines, as his server was pinged by the device. But he knew he’d been thwarted a few days later, when he answered his mobile phone – and heard the police officer demanding to know what the heck was going on.
Ford explained that he was indeed a hacker, but an “ethical” one. His employer was not a Russian organised crime group, but Accenture, the global consultant. Ford told the officer he was working for a client, in stealth mode, under a program known as CORIE.
The police officer made a few checks and ended the call. Ford was off the hook. And his testing of banking staff continues across the sector.

Offensive security

Ford could lay claim to having one of the edgiest jobs in financial services. He leads a team of 11 “white hat” hackers at Accenture, also known in the cyber scene as “red teams”. Avoiding colour-related monikers, Ford prefers to describe his work as “offensive security”.
“When I’m asked what I do, I say I break things for a living,” he says. “Banks hire people like me to find the weaknesses before the bad guys do.”
Accenture has been accredited by the Council of Financial Regulators – the peak finance sector regulatory group comprising the Reserve Bank, the Australian Prudential Regulation Authority, the Australian Securities and Investments Commission and Treasury – to hack banks as part of CORIE. This stands for Cyber Operational Resilience Intelligence-led Exercises.
The program, which operates in the shadows, was initiated in 2019 to improve the cyber resilience of the financial services sector. So far, 15 financial institutions have participated. This is the first time details of the CORIE project have been publicly disclosed.
At its core, the project simulates what a real-life cyberattack may entail, using the latest tricks by real criminal groups. The tests have been forcing banks, insurance companies and superannuation funds to think beyond creating shields around their IT systems– and to consider that staff members could be their weakest link in the global war against cyber crime.
Ford provided insight into how his secret team operates. It starts by gathering “threat intelligence” on the latest criminal tactics, garnered from various web forums used by nefarious actors.
The malware-infected thumb drive replicating the keyboard sent to the Australian bank (which he refuses to disclose citing client confidentiality) was a technique deployed by FIN7. Wired magazine has described this group, which includes Russians and Ukrainians, as “one of the most sophisticated, and aggressive, financially motivated hacking organisations in the world”.
Between 2015 and 2018, FIN7 stole data for more than 16 million payment cards in the United States; many were sold on the dark web. To get inside some insurers, FIN7 has mailed packages containing USB sticks infected by malware impersonating Amazon and the US Department of Health and Human Services officials.
This let FIN7 infiltrate systems to remotely send commands, receive data, and move laterally through networks, according to the Justice Department. It has surveilled employees and secretly stolen credentials and other network information.
Outside banking, infected USB drives were used to release the infamous Stuxnet worm, penetrating a nuclear facility in Iran in 2010 by targeting contractors. The malware – built by the US and Israel intelligence services (although both countries deny it was them) – infected computer boxes running motors for centrifuges that separated nuclear material; the program spun them so fast that they were physically destroyed. It was the first known example of the use of an offensive cyber weapon.
Ford is using similar techniques to get access to bank systems. Once inside, he conducts reconnaissance on the internal IT environment and seeks to exploit weaknesses. Services accounts can be created; administration access can be gained. He stops before wreaking havoc.
But the lessons from the early rounds of CORIE exercises point to cybersecurity not only being about the latest malware, or the trouble a computer geek can cause inside a network. Cybersecurity is also about psychology. Successful hackers target human foibles, often by trying to pump up the dopamine of unaware workers.

Targeting ego 

“We are always looking at ways we can bring a human element in, to make people not think,” Ford says. “Defences can be like Swiss cheese: they might be firm on the outside, but inside, they are full of holes.”
Given bank cyber training, many staff members are sceptical about mysterious USB drives arriving in the mail. This makes well-researched messages to entice the recipient to actually plug in the device important; the Workhuman letter was such an example.
Ford’s note to Justin was deliberately designed to appeal to his ego. Ford had researched the banker was likely to be a high achiever, due to active and boosterish posts on his LinkedIn profile. The idea was he would feel deserving of the gifts if he had received them.
Ford’s team use many additional techniques. One has involved sending emails from the HR department, deliberately getting the recipient’s name wrong and attaching another staff member’s payslip. This is more likely to result in a click on the malware file because colleagues are typically keen to sneak a peek at someone else’s pay packet.
Executives’ families have also been targeted. One project (outside the banking sector) involved researching a C-suite’s family members through public, social media feeds, which determined one of their teenage kids liked a particular computer game. A package was sent with an update for the game, which the executive brought home. This infiltrated the executive’s smart TV, and the red team attempted to get onto a work device when it connected onto the same home Wi-Fi network used by the TV.
Hackers can also appeal to simple human desires to be helpful to a person in need. Ford has gained access to various companies and professional services firms by tailgating staff into buildings.
Once, he arrived with computer equipment on a trolley with a high-vis vest and scanning device. A guard signed him in. Another time, he made a fake swipe card and copy of company’s lanyards after a trip to Officeworks. He appeared in the foyer, dressed in work gear holding banana bread and balancing a coffee, and pretended the card wasn’t working. He was swiped in by a member of staff.
When not trying to trick staff into inserting malicious thumb drives, he has tried to do it himself. Ford says he once appeared at a check-in desk announcing he was a new consultant working with an actual banker he knew was on leave. He was taken to a meeting room, and was left unattended for two minutes.
This would have been enough time to plug a “raspberry pie” box into the TV on the wall. But the plug had been covered up by the IT department. The concierge soon returned denying him further entry when the banker couldn’t be found. When Ford was kicked out, he said the room was swept for bugs.
“The general level of maturity at the big banks is quite high,” Ford says. “But for smaller organisations, and in other verticals like superannuation, they are less well resourced.”
Australia’s CORIE exercises are on the radar of global cybersecurity law enforcers, who say they will protect institutions from rising threats, and help boards to get ready for inevitable attacks.
“These simulated exercises are crucial,” says Craig Jones, director of cybercrime at Interpol. “If you are a company with shareholders and customers, you are responsible for keeping the data safe. When a vulnerability is brought in front of the board, and demonstrated very clearly in a safe space, that is preferable to being presented with a data breach on a Friday night and being totally unprepared for it.”
The manager of Accenture’s CORIE team, security lead Jacqui Kernot, spent 25 years in Australian intelligence and four years as head of cyber at Telstra. “CORIE is a necessary evolution from regulatory frameworks to testing frameworks. We need to move from a compliance checkbox to a living process,” she says.
“The old ways of doing things are not workable going forward. We need to use threat-led intelligence models, and test from the outside to look for ways that the bad guys might find things.
“Banks can’t just look at compliance inside the network. They must look from outside, for warnings they aren’t as secure as they think. And the more we see other industries move towards CORIE, the better off we will be.”
James EyersSenior ReporterJames Eyers writes on banking, payments and fintech. He is a former legal and investment banking editor at the AFR, has degrees in commerce and law from UNSW, and is co-author of Buy now, pay later: The extraordinary story of Afterpay Connect with James on Twitter. Email James at