More than half of the cyberattacks against financial institutions targeted their market strategies, according to VMware’s latest Modern Bank Heists report.

The fourth-annual report, based on an online survey of 126 financial institution CISOs and security leaders from around the world conducted in January, found that cybercrime cartels and nation-state hackers are becoming more sophisticated and ruthless in their attacks.

The good news is that banks are investing more in cybersecurity, and 48% of surveyed financial institutions said they conduct weekly threat hunts. But the bad news, according to VMware’s Head of Cybersecurity Strategy Tom Kellermann, is that “there is no light” at the end of the cybersecurity tunnel.

“There’s no light for one simple reason: All the banks are trying to become fintech,” he said, adding that they are either integrating with smaller financial technology vendors to help them add cloud-based services, or they are building their own fintech platforms that rely on artificial intelligence (AI).

“With these integrations via APIs with the fintech vendors, you’re seeing more and more adversaries exploiting those integrations to island hop into the banks,” Kellermann explained. “In addition, there’s over-reliance on AI. The two ways you corrupt AI is either manipulate time, or you provide terrible inputs. Garbage in, garbage out. They’ve invested a tremendous amount of money in AI, and that will be their Achilles heel.”

VMware’s latest security report found many of these challenges are getting worse. The 2021 survey found 54% of financial institutions experienced destructive attacks, a 118% increase from 2020, and these are becoming more common as hackers use counter incident response measures like destruction of logs and diversion tactics.

“That really highlights the level of hostility in cyberspace, and the nature in which adversaries will leverage destructive attack as part of counter-incident response to punish the defender,” Kellermann said.

While previous VMware security reports highlighted the increase in destructive attacks across all industries during the COVID-19 pandemic, “the financial sector is probably the most secure,” Kellermann said. “As a result, they’re dealing with not only the most sophisticated cybercrime cartels, but the cartels that are willing to essentially take them to the mattresses.”

Kellermann said he’s also concerned that 41% of respondents saw attackers attempt to manipulate time stamps, which are fundamental for financial companies. Now that criminals know how to evade detection by manipulating time stamps, financial institutions need to pay greater attention to securing the integrity of these stamps to ensure that this method isn’t used to alter the value of capital or trades.

Additionally, 38% of surveyed organizations experienced an increase of island hopping. This happens when a hacker attacks an organization within the larger bank’s information supply chain and uses a third-party to “island hop” onto the financial institution’s network. Island hopping attacks increased 13% from 2020.

It’s important to note that these attacks do not include SolarWinds. “I explicitly asked them to not include SolarWinds,” Kellermann said. “If you were impacted by SolarWinds, I don’t care. But how many of you are not only experiencing island hops from other supply-chain vendors, but you’re seeing the adversary attempt to commandeer your digital transformation and use it to attack your constituents. And that was 38%, which was an increase from the year before.”

Kellermann prefers “island hopping” to “supply chain” because these attacks aren’t limited to supply-chain vendors or technology firms. And once the attacker is inside your infrastructure, it will use that to get into your customers and partners’ systems as well. “This has really become par for the course for the major Russian and Chinese APT groups,” he added.

VMware’s cybersecurity strategists say cybercrime cartels have studied the interdependences of financial institutions. They understand which managed service providers and outside law firms that banks use, and the criminals often hack these organizations to hop into the bank.

One of the “most important” findings, however, is that 51% of financial institutions experienced attacks that targeted their nonpublic information and market strategies, Kellermann said. This is the first year he’s asked that question, and it spun out of an earlier report about the evolution of e-fraud that he wrote for the World Bank almost two decades ago.

“It was attempting to be predictive vis-a-vis where fraud would go in capital markets moving forward, beyond brokerage takeover,” he said. “So I decided to ask it. And I was shocked. I literally thought the number was going to be somewhere between 10% and 20%.”

This shows that cybercrime cartels have become much more knowledgeable about the financial sector, he said. They know that banks’ nonpublic market information is their most valuable asset, and criminals can use it to facilitate digital insider trading and front running.

“This really changes the name of the game as it relates to persistence on specific endpoints,” such as hacking a portfolio manager’s laptop or another executive responsible for market strategy, Kellermann said. “And this demonstrates that they’re not only willing to use this digital insider information to front run, but also, in many cases, you’re seeing some sort of collusion in a form of competitive intelligence between various financial institutions around the world. Some in certain parts of the world are more willing to use the intelligence assets of the dark web.”

Specifically: Russia, North Korea, and Iran conduct these types of attacks to offset the economic sanctions imposed by the United States, he said. “What we need to be specific about here is this Pax Mafiosa that exists between the very best cyber criminals in these countries and the regime.”

The survey also found that 75% of financial institution CISOs still report to the CIO rather than the CEO, which Kellermann called “disappointing.”

“That has to change,” he added. “But I was heartened by the fact that 48% of them were conducting weekly threat hunting, which is great.”

Additionally, 82% of financial institutions surveyed plan to increase their budget by 10% to 20%, which is significant because banks already spend more on cybersecurity compared to other industries. The majority of CISOs are working to address their contextual and app modernization gaps and say their investment priorities include extended detection and response or XDR (24%), threat intelligence (23%), workload security (21%), and container security (18%).

“I do think that workload security should become much more of a priority,” Kellermann said. While the financial sector adopted public cloud slower than other industries, the pandemic forced banks to embrace the cloud, he added. The flip side is that many banks still have gaps in their cloud and workload security posture. “Container security is another function of workload security — the future of workloads — so I think the greatest challenge people are gonna face in this coming year is that they’re over reliant on Kubernetes to help them manage and secure containers, and it’s not sufficient. If someone commandeers Kubernetes, that can create a systemic event against your infrastructure.”

This is why VMware bought Kubernetes security startup Octarine a year ago, and spent the next 12 months tightly integrating it into Carbon Black Cloud, Kellermann said. “But it doesn’t end there,” he added. “They need to — they being my colleagues — they need to continue to innovate and push the envelope, beyond even what they’re doing,” to prevent container attacks.