Executive Summary
UK financial stability and customer outcomes are increasingly shaped by operational cyber risk: attacks (and disruptive technology failures) that impair critical services, amplify fraud losses, and propagate quickly through shared suppliers, identity providers, and market “plumbing”. The Bank of England (BoE) explicitly frames operational resilience as a financial stability priority, covering cyber attacks, IT outages, and third-party failures that can disrupt important business services. (Bank of England)
Fraud remains a primary customer-harm vector and a material driver of financial loss, with UK Finance reporting £1.17bn stolen from consumers in 2023 across payment fraud and scams—illustrating the scale of criminal ecosystems exploiting digital banking, social engineering, and mule-account infrastructure. (UK Finance)
Across Europe, ENISA’s first sector-specific finance threat landscape (covering Jan 2023–Jun 2024) highlights that banks were the most frequently targeted entities in European finance incident reporting, and notes DDoS peaks correlated with geopolitical events (notably Russia’s invasion of Ukraine). (ENISA)
The UK’s risk is not domestic: EU requirements (e.g., the Digital Operational Resilience Act (DORA) applying from 17 January 2025) and NIS2-era critical infrastructure controls shape group-wide cyber governance, third-party oversight, and resilience testing expectations for cross-border firms with UK operations. (EUR-Lex)
US regulation similarly pulls UK-headquartered and UK-listed groups into fast incident disclosure and notification regimes—most visibly the SEC’s material incident disclosure requirements (Form 8-K Item 1.05, generally within four business days of materiality determination) and US banking regulators’ 36-hour notification rule for “notification incidents”. (SEC)
Geopolitics continues to raise the floor of threat activity. The NCSC assesses ransomware as one of the most pervasive UK threats and highlights the evolution toward extortion models that may avoid encryption and instead threaten data publication; meanwhile, the NCSC has also warned in early 2026 about Russian-aligned hacktivist DDoS activity targeting UK organisations and public-facing services. (NCSC)
Sector Scope and Definitions
This report uses sector definitions aligned to UK supervision and market structure references, and focuses on how cyber risk propagates via service interdependencies and shared technology.
Retail & commercial banking (including digital challengers)
Deposit-taking, lending, and account servicing delivered via branches, online/mobile channels, and call centres; often dependent on centralised identity services, card/payment rails, and outsourced IT operations. UK operational resilience expectations require boards and management to identify important business services, set impact tolerances, and ensure the firm can remain within tolerance in severe but plausible scenarios. (Bank of England)
Payments (cards, Faster Payments, open banking, fintech partnerships)
Payment initiation, clearing and settlement workflows spanning banks, e-money institutions, scheme operators, gateways, acquirers, and fintech processors—highly exposed to identity compromise and social engineering. The Payment Systems Regulator (PSR) has implemented a mandatory reimbursement framework for Faster Payments APP scams (including the maximum reimbursement level starting 7 October 2024), reflecting the consumer-harm and operational implications of fraud. (PSR)
Capital markets & FMIs (exchanges, CCPs, CSDs, trading platforms, data/auction infrastructure)
Financial Market Infrastructures (FMIs) underpin market functioning and confidence; disruption can create rapid systemic effects via halted auctions, impaired price discovery, delayed settlement, or operational backlogs. The BoE’s supervision of FMIs emphasises operational resilience and has progressed policy for critical third parties and FMI operational incident reporting. (Bank of England)
Asset management, pensions, and hedge funds
Portfolio and fiduciary operations depend on brokers, custodians, pricing/data terminals, portfolio accounting platforms, transfer agents, and cloud-based collaboration. This subsector is materially exposed to account takeover (ATO), fraudulent withdrawals, and third-party disruption—as illustrated by credential compromise activity reported against large pension funds overseas (relevant for UK firms by analogy and shared service models). (Reuters)
Central banking, supervisors, and public sector financial authorities
Central banks, debt management offices, and regulators are both targets (sensitive supervisory information; market-moving communications) and stabilisers (operational continuity obligations during crises). Public reporting confirms that even major regulators can suffer email compromise, with the US OCC reporting a breach of executive emails containing highly sensitive information about supervised institutions. (Reuters)
Key interdependencies (why “local” incidents become systemic)
Operational resilience guidance explicitly includes disruption from cyber attacks, IT outages, and third-party supplier failure; the same shared services (identity providers, endpoint tooling, market data, messaging, and outsourcing providers) often sit across multiple UK sub-sectors. (Bank of England)
Threat Landscape Overview
Identity compromise and session/token theft as the enabling layer
Across recent finance incidents and public advisories, attackers frequently bypass perimeter controls by abusing valid accounts, compromised credentials, and OAuth/session tokens—particularly in cloud/SaaS environments. ENISA’s finance threat landscape highlights the prevalence of social engineering and credential-driven compromise across the sector. (ENISA)
Fraud ecosystems: APP scams, BEC-style payment diversion, and mule enablement
UK Finance’s reporting underscores the scale of fraud and scams, including APP fraud losses and the online origins of many scams. These trends drive convergence between cyber defence and financial crime controls (identity proofing, beneficiary controls, and fraud operations). (UK Finance)
Ransomware and extortion (including “no-encrypt” models)
The NCSC describes ransomware as one of the most pervasive threats to UK organisations and notes the trend toward extortion approaches that may not encrypt systems but instead threaten publication of stolen data. (NCSC)
DDoS, hacktivism, and availability attacks as confidence shocks
ENISA identifies threats against availability among the prime threats in Europe and links peaks in DDoS activity in finance to geopolitical events; the NCSC has issued UK-facing warnings in 2026 about Russian-aligned hacktivist attempts to disrupt services and take websites offline. (ENISA)
Insider misuse and human-enabled compromise
Insider risk in finance spans malicious insiders, coerced/bribed staff, and inadvertent process failures. Reuters reporting on a major crypto exchange incident describes attackers paying overseas support staff/contractors to obtain customer data—illustrating a modern “insider-enabled” pattern. (Reuters)
Third-party and supply chain risk (including software, vendors, and market utilities)
Recent case studies show cyber incidents impacting data vendors and fintech partners, while resilience policy in the UK and EU is increasingly explicit about systemic third-party concentration. UK regulators have introduced a critical third parties (CTP) oversight regime with the objective of managing risks to stability or confidence in the UK financial system arising from disruption at CTPs. (Bank of England)
Europe, the United States, and Global Geopolitics: Why UK Risk Is Not Domestic
Europe: DORA, NIS2-era resilience controls, TIBER-EU style testing, and third-party oversight
DORA establishes uniform ICT risk management, incident reporting, testing, and oversight expectations across EU financial entities and applies from 17 January 2025, shaping group-wide governance for firms operating across the UK and EU. (EUR-Lex)
NIS2 requires Member State transposition by 17 October 2024 and broadens cybersecurity obligations across critical sectors (while EU policy messaging emphasises stronger baseline governance and reporting across essential services). (Digital Strategy EU)
TIBER-EU provides a harmonised framework for threat intelligence-led red teaming, influencing EU supervisory expectations (and, by extension, many cross-border programmes and supplier requirements used by UK-based groups). (European Central Bank)
United States: SEC incident disclosure, rapid regulator notification, and ransomware sanctions risk
The SEC’s final rule requires disclosure of material cybersecurity incidents via Form 8-K Item 1.05 generally within four business days of determining materiality, pulling UK-listed issuers and US-listed UK groups into tight disclosure disciplines. (SEC)
US banking regulators require notification “as soon as possible” and no later than 36 hours after determining a qualifying computer-security incident has occurred (a key benchmark influencing multinational incident playbooks). (OCC.gov)
OFAC’s ransomware advisory highlights sanctions risks in facilitating ransomware payments and describes risk-based steps that OFAC views as mitigating factors—directly affecting UK firms with US nexus (US operations, US persons, USD flows, or sanctioned-entity exposure). (OFAC)
Geopolitics: Russia/Ukraine, Middle East tensions, and DPRK financial theft trends
The NCSC and partners have publicly exposed Russian GRU cyber campaigns connected to Ukraine-related targeting, including activity against logistics and technology entities involved in assistance delivery—illustrating the broader pattern of geopolitically-driven targeting beyond pure espionage. (NCSC)
ENISA’s finance threat landscape notes DDoS peaks linked to geopolitical events and documents hacktivist targeting of credit institutions. (ENISA)
The NCSC Annual Review 2025 explicitly assesses that implications of the Israel-Gaza conflict are developing and that vigilance is required for Iranian state-sponsored or affiliated threat activity, with the NCSC assessing that risk as extending to UK entities. (NCSC)
For DPRK-linked financial theft, Chainalysis reports that North Korea-affiliated hackers stole approximately $1.34bn in 2024 across 47 incidents, reinforcing the scale of state-linked financially motivated intrusion relevant to global finance and crypto-adjacent exposures. (Chainalysis)
Technical Analysis with MITRE ATT&CK Mapping
This section describes a typical finance-sector kill chain observed across incident reporting and public advisories, mapped to MITRE ATT&CK. Technique IDs link directly to MITRE.
Reconnaissance
Attackers commonly profile organisations, suppliers, and staff for credential- and workflow-aware intrusion (targeting help desks, treasury/payment teams, trading operations, and privileged administrators).
Relevant ATT&CK techniques include: T1590 (Gather Victim Network Information), T1589 (Gather Victim Identity Information), T1595 (Active Scanning), T1593 (Search Open Websites/Domains).
Initial Access
Identity-first access is a recurring pattern: phishing for credentials, password spraying, abusing exposed remote services, and leveraging trusted third parties—especially where MFA enforcement is inconsistent. This aligns with public descriptions of GRU password spraying and spearphishing, as well as sector reporting that emphasises social engineering and credential abuse. (U.S. Department of War)
Techniques commonly associated with this stage:
- T1566.001 (Phishing: Spearphishing Attachment)
- T1566.002 (Phishing: Spearphishing Link)
- T1078 (Valid Accounts)
- T1110.003 (Password Spraying)
- T1133 (External Remote Services)
- T1199 (Trusted Relationship)
- T1190 (Exploit Public-Facing Application)
Persistence
Finance intrusions often prioritise quiet persistence in identity and messaging layers (mailbox permissions, OAuth refresh tokens, scheduled tasks, and COM hijacking). The NCSC’s AUTHENTIC ANTICS analysis explicitly describes Outlook-process execution, COM hijacking persistence, and theft of OAuth tokens for ongoing access. (NCSC)
Relevant techniques:
- T1546.015 (Event Triggered Execution: Component Object Model Hijacking)
- T1053.005 (Scheduled Task/Job: Scheduled Task)
- T1098 (Account Manipulation)
- T1528 (Steal Application Access Token)
Privilege Escalation
Privilege escalation is often achieved through credential abuse, token replay, exploitation, or misconfiguration—particularly where identity governance is weak or where admin roles can be modified rapidly in cloud tenants.
Relevant techniques: T1068 (Exploitation for Privilege Escalation), T1548.002 (Abuse Elevation Control Mechanism: Bypass User Account Control), T1078 (Valid Accounts).
Lateral Movement
In finance environments, lateral movement frequently targets high-value control points: payment initiation platforms, SWIFT-connected systems, privileged admin planes, and market operations tooling.
Relevant techniques: T1021.001 (Remote Services: RDP), T1021.002 (SMB/Windows Admin Shares), T1210 (Exploitation of Remote Services), T1550 (Use Alternate Authentication Material).
Collection and Exfiltration
Finance intrusions frequently focus on customer data, trading/portfolio data, supervisory information, and credential/token material—often using legitimate services and covert channels. The NCSC’s AUTHENTIC ANTICS reporting notes exfiltration via emails sent from the victim’s mailbox to an actor-controlled address, intentionally avoiding obvious network C2. (NCSC)
Relevant techniques: T1114 (Email Collection), T1114.003 (Email Collection: Email Forwarding Rule), T1041 (Exfiltration Over C2 Channel), T1567.002 (Exfiltration to Cloud Storage), T1020 (Automated Exfiltration).
Impact (including fraud outcomes, disruption, and extortion)
Impact in finance is not limited to encryption: it includes payment diversion, fraudulent withdrawals, customer harm, market confidence shocks, and disruption of critical auctions/terminals/market utilities. The BoE frames these disruptions as relevant to financial stability and systemic confidence. (Bank of England)
Relevant techniques: T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery), T1499 (Endpoint Denial of Service), T1565 (Data Manipulation).
Full MITRE ATT&CK mapping table (finance kill chain)
| Tactic | Technique ID | Technique Name | Observed behaviour in finance environments (illustrative) |
|---|---|---|---|
| Reconnaissance | T1590 | Gather Victim Network Information | Mapping supplier connectivity, VPN/SSO endpoints, and exposed services used by shared providers. |
| Reconnaissance | T1589 | Gather Victim Identity Information | Targeting treasury/payment staff, service desk agents, and privileged admins for social engineering. |
| Initial Access | T1110.003 | Password Spraying | Broad credential attacks against cloud email/SSO; described in GRU advisory context. (U.S. Department of War) |
| Initial Access | T1566.002 | Spearphishing Link | Links to fake login pages and cloud credential harvesting (public advisories). (U.S. Department of War) |
| Initial Access | T1078 | Valid Accounts | Abuse of legitimate credentials or bribed/insider-enabled access (e.g., support roles). (Reuters) |
| Persistence | T1546.015 | COM Hijacking | Outlook-process persistence described by NCSC AUTHENTIC ANTICS. (NCSC) |
| Persistence | T1528 | Steal Application Access Token | OAuth token theft enabling long-term mailbox and SaaS access (NCSC). (NCSC) |
| Collection | T1114 | Email Collection | Targeting email as the system-of-record for approvals, payment instructions, and sensitive documents. |
| Exfiltration | T1567.002 | Exfiltration to Cloud Storage | Leveraging legitimate cloud services for staging and exfiltration where controls allow. |
| Impact | T1499 | Endpoint DoS | Availability shocks via DDoS/hacktivism against public-facing services (NCSC warnings). (NCSC) |
| Impact | T1486 | Data Encrypted for Impact | Ransomware disruption and extortion (NCSC ransomware assessment). (NCSC) |
Real-World Incidents (Last 2 Years): Case Studies and Lessons
A) Incident table (publicly reported; 20 Feb 2024 – 20 Feb 2026)
| Date reported | Entity | Subsector | What happened | Reported/likely impact | Sources |
|---|---|---|---|---|---|
| 15 Mar 2024 | International Monetary Fund (IMF) | Public international financial institution | IMF disclosed a cyber security incident involving compromise of 11 email accounts (detected 16 Feb 2024). | Sensitive communications exposure risk; illustrates regulator/IFI targeting. | Reuters report on IMF incident (Reuters) |
| 14 May 2024 | Banco Santander | Banking | Unauthorised access to a Santander database hosted by a third-party provider; Santander stated core systems and operations were unaffected. | Customer/employee data exposure; elevated fraud monitoring requirements. | Santander statement; Reuters coverage (santander.com) |
| 26 Jun 2024 | Evolve Bank & Trust (and fintech partners) | Banking / payments ecosystem | Bank confirmed cyber attack and data breach with customer data leaked; fintech partners noted exposure for some customers. | Data exposure and downstream partner/customer notification burden. | Reuters coverage (Reuters) |
| 19 Jul 2024 | Multiple sectors incl. LSEG services disruption | Capital markets / market data | Global Windows outage triggered by faulty CrowdStrike update; Reuters reported disruption to LSEG services and broader market operations. | Market operations disruption; resilience/changemanagement lessons for systemic tooling. | Reuters; CrowdStrike PIR/RCA; CISA alert (Reuters) |
| 29 Nov 2024 | Bank of Uganda | Central banking | Reuters reported confirmation that central bank accounts were hacked; reporting referenced significant alleged funds transfer, with official caution on extent. | Demonstrates central bank payment/account targeting and potential insider collusion risk. | Reuters coverage (Reuters) |
| 31 Jan 2025 | Barclays (UK) | Retail banking | Major UK outage; Barclays stated it was a technical fault (not a cyber attack). | Consumer harm and payment delays; operational resilience scrutiny. | Financial Times; Guardian (Financial Times) |
| 4 Apr 2025 | Major Australian pension funds | Asset management / pensions | Coordinated account attacks; Reuters reported compromised accounts and member losses at the largest fund. | Highlights ATO, credential theft, and fraud operations against pensions—relevant by analogy to UK wealth/pensions. | Reuters coverage (Reuters) |
| 7 Apr 2025 | DBS Group / Bank of China (Singapore) via vendor | Banking / capital markets (trading platform) | Ransomware on data vendor (Toppan Next Tech) potentially exposed customer statements and account details. | Third-party ransomware causing regulated customer notification and reputational risk. | Reuters coverage (Reuters) |
| 8 Apr 2025 | Office of the Comptroller of the Currency (OCC) | Banking supervisor | OCC disclosed hacking of executives’ and employees’ emails; involved highly sensitive supervisory information. | Regulator compromise risk; cross-border supervisory confidence implications. | Reuters coverage (Reuters) |
| 15 May 2025 | Coinbase | Financial services / crypto | Reuters reported breach of a “small subset” of customer account data; attackers paid overseas support staff/contractors; company rejected ransom demand. | Fraud/social engineering follow-on risk; insider-enabled compromise model. | Reuters coverage; Chainalysis theft context (Reuters) |
| 21 May 2025 | Bloomberg terminal (auction system disruption) | Capital markets “plumbing” | Terminal outage delayed a UK gilt auction window and affected European debt sales. | Demonstrates concentrated dependency on single market data/auction platforms. | Reuters coverage (Reuters) |
| 17 Feb 2026 | Abu Dhabi Finance Week (third-party exposure) | Asset management / capital markets ecosystem | Reuters reported FT findings that passports/IDs were exposed via an unprotected cloud server tied to a third-party vendor. | High-value identity exposure; increased impersonation and targeted fraud risk for senior finance figures. | Reuters coverage (Reuters) |
| 19 Jan 2026 | Multiple UK organisations (incl. public-facing services) | Cross-sector / CNI relevant to finance | NCSC warned of continuing Russian-aligned hacktivist DoS activity targeting UK organisations. | Availability risk and confidence effects (especially for customer-facing finance services). | NCSC warnings (NCSC) |
B) Case studies (3–6) and lessons for UK financial security leaders
1) Santander: third-party hosted database access (May 2024) — “data exposure becomes fraud fuel”
Santander publicly confirmed unauthorised access to a database hosted by a third-party provider and stated that core systems and operations were not affected, focusing attention on segregation between customer data environments and transaction/credential control planes. (santander.com)
Lessons for UK firms: treat “non-core” data stores as fraud-enabling assets. Even where transaction credentials are not exposed, leaked identity data increases the success rate of impersonation, account recovery abuse, and APP scam social engineering. ENISA’s finance threat landscape emphasises social engineering and incident prevalence in finance, reinforcing the need for strong identity assurance and post-breach fraud controls. (ENISA)
2) Evolve Bank & Trust: ransomware-era data leakage and downstream fintech blast radius (June 2024)
Reuters reported that Evolve confirmed a cyber incident with customer data posted online, and that fintech partners communicated impacts to their own customers (including exposure of account-related information for some). (Reuters)
Lessons for UK firms: fintech partnership models magnify notification and reputational risk. Supplier governance must include breach notification SLAs, shared incident runbooks, and strong data minimisation. UK regulators’ CTP regime reflects this systemic view by targeting risks to stability and confidence arising from disruption at critical third parties. (Bank of England)
3) CrowdStrike content update outage: systemic technology failure as an “availability incident” (July 2024)
Reuters documented disruption to LSEG data services amid the global Windows outage linked to a faulty CrowdStrike update; CrowdStrike published a preliminary post-incident report and a root cause analysis, while CISA issued an alert on the widespread outage. (Reuters)
Lessons for UK firms: treat security tooling and endpoint platforms as systemic dependencies requiring resilience engineering, not just cyber hardening. Operational resilience programmes (impact tolerances, mapping, scenario testing) must include “safe failure” and rapid recovery for security agent failures and content updates, consistent with UK operational resilience expectations ahead of the 31 March 2025 transition deadline. (FCA)
4) Bloomberg terminal outage delaying gilt auction workflows (May 2025) — “market plumbing concentration risk”
Reuters reported that Bloomberg terminal disruption delayed UK gilt auction bidding windows and impacted European sovereign debt operations. (Reuters)
Lessons for UK markets: even non-malicious outages can have market integrity and confidence implications. FMIs and market operators should validate contingency procedures (alternate auction channels, manual fallbacks, pre-agreed extensions) and ensure incident reporting and comms pathways align with BoE FMI operational incident reporting policy direction. (Bank of England)
5) OCC executive email compromise (April 2025) — “supervisors are targets too”
Reuters reported that the OCC disclosed hacking of emails involving highly sensitive supervisory information, attributing the breach to longstanding vulnerabilities and launching a security review. (Reuters)
Lessons for UK authorities and regulated firms: assume supervisory correspondence and regulatory artefacts can be targeted as secondary sources of market-moving intelligence. This strengthens the case for secure comms channels, strict identity controls, and limiting sensitive data in email when alternative secure repositories exist.
6) Coordinated pension fund account compromise (April 2025) — “ATO against long-horizon savings”
Reuters reporting described credential theft and unauthorised access against major pension funds, with member losses at the largest fund and large numbers of affected accounts at others. (Reuters)
Lessons for UK pensions and wealth: fraud and cyber controls converge at login and recovery journeys. Monitor anomalous login activity, enforce phishing-resistant MFA, harden customer help desk processes, and implement rapid payment holds and mule escalation for suspicious withdrawals—recognising that customer confidence shocks in pensions can create political and supervisory pressure quickly.
Impact Assessment
Retail & commercial banking
Primary impacts are customer harm and loss (scams/fraud), service downtime, and regulatory scrutiny. UK Finance’s fraud reporting illustrates scale and persistence of consumer losses, while UK operational resilience rules focus on preventing disruption that causes consumer harm and threatens firm viability or financial stability. (UK Finance)
Payments
Payment rails are exposed to identity compromise, APP scams, and social engineering at scale. The PSR reimbursement regime (effective for relevant Faster Payments scams from 7 October 2024) increases the financial and operational consequences of fraud control weaknesses, amplifying the need for preventative controls, better friction, and cross-PSP coordination. (PSR)
Capital markets & FMIs
The main impacts are availability and integrity: disruption to price discovery, auctions, and operational workflows; and elevated systemic risk through interdependence. Reuters reporting on terminal and market data disruptions (Bloomberg outage; LSEG service impacts) illustrates how “plumbing” outages can propagate across firms. (Reuters)
Asset management and pensions
The dominant risks are ATO-driven fraud, data exposure enabling impersonation, and third-party disruption in portfolio operations. The Reuters pension-fund incident shows how credential compromise and login abuse can translate into direct theft and large-scale customer impact. (Reuters)
Central banking and supervisors
Compromise of supervisory systems and communications can erode trust, expose sensitive institution data, and create second-order market impacts. Reuters reporting on the OCC email breach and the Uganda central bank hack illustrates both information compromise and direct funds-transfer risk against financial authorities. (Reuters)
Alignment to UK operational resilience and systemic dependency: the BoE’s operational resilience framing explicitly includes cyber attacks, IT outages and third-party failures as disruptions relevant to important business services and financial stability, reinforcing why these impacts must be modelled as systemic, not purely firm-specific. (Bank of England)
Detection and Monitoring Guidance
This section prioritises telemetry and detection themes that map to the ATT&CK kill chain and finance-specific outcomes (payment diversion, settlement disruption, and extortion).
Telemetry priorities (what you need to see, consistently)
- Identity and access telemetry (IdP logs, MFA enrolment/reset events, conditional access outcomes, token issuance): to detect T1078, T1110.003, and token abuse T1528.
- Email and collaboration telemetry (mailbox permissions changes, forwarding rules, OAuth app grants): to detect T1114.003 and persistence patterns described in AUTHENTIC ANTICS. (NCSC)
- Privileged access telemetry (PAM events, admin role changes, break-glass usage): to identify abnormal account manipulation T1098.
- Payment workflow telemetry (beneficiary changes, payee creation, unusual limits overrides, new device + new beneficiary combinations): to detect fraud outcomes, supporting APP scam controls informed by UK Finance/PSR focus. (UK Finance)
- Resilience telemetry (endpoint control plane health, EDR content update health, failover events): to detect systemic failure modes highlighted by the CrowdStrike outage and its documented impact on finance operations. (CISA)
High-value detection themes (finance outcomes)
- Suspicious MFA resets/enrolments and helpdesk-assisted recovery spikes (possible precursor to ATO and payment diversion).
- Anomalous mailbox rules and hidden exfiltration behaviour: focus on forwarding rules, permission changes, and unexpected OAuth token refresh patterns; the NCSC’s AUTHENTIC ANTICS report provides concrete host artefacts and registry IOCs to monitor. (NCSC)
- Unusual beneficiary changes / payment initiation anomalies: pair cyber signals (new device, new session, geovelocity) with financial crime signals (new payee, high-risk destination) to detect payment diversion attempts.
- Privileged access anomalies: unusual admin role grants, creation of new privileged accounts, “break glass” usage outside pre-defined conditions.
- Backup sabotage indicators: monitor for deletion/impairment actions linked to T1490, especially where ransomware extortion is expected. (NCSC)
- DDoS readiness signals: spikes against customer portals and APIs, especially during geopolitical peaks; ENISA and NCSC reporting supports treating availability attacks as a persistent threat vector. (ENISA)
Public detection content and rule repositories (recommended starting points)
- Sigma (generic SIEM detection rules, adaptable to finance environments): SigmaHQ rules repository
- Sysmon (host telemetry reference and configuration guidance): Sysmon documentation
- Suricata (network IDS/IPS signatures and guidance): Suricata documentation
Indicators of Compromise (IOCs) — only where authoritative sources publish them
Public incident reporting for many finance cases above does not include reusable IOCs (hashes/domains/IPs). Where government sources do publish actionable indicators, prioritise them and treat them as time-bound.
Selected published IOCs (defender-use; non-exhaustive):
| Type | Value | Context/Notes | Source |
|---|---|---|---|
| Registry key | HKCU\Software\Microsoft\Office\16.0\Outlook\Logging\Locale | NCSC: contains most recently stolen OAuth 2.0 refresh token (AUTHENTIC ANTICS). | NCSC Malware Analysis Report: AUTHENTIC ANTICS (NCSC) |
| Registry key | HKCU\Software\Microsoft\Office\16.0\Outlook\Logging\Counter | NCSC: contains earliest next time to run stealer payload. | NCSC Malware Analysis Report: AUTHENTIC ANTICS (NCSC) |
| IP (infrastructure) | 213[.]32[.]252[.]221 | Listed in joint GRU advisory IOC section (treat as potentially shared/rotating infra). | Joint advisory AA25-141A PDF (U.S. Department of War) |
| IP (infrastructure) | 124[.]168[.]91[.]178 | Same as above. | Joint advisory AA25-141A PDF (U.S. Department of War) |
| Webmail domain | seznam[.]cz | “Commonly used webmail providers” list in GRU advisory (contextual IOC; low confidence alone). | Joint advisory AA25-141A PDF (U.S. Department of War) |
| Malicious archive filename | Roadmap.zip | Example archive names associated with CVE-2023-38831 lure activity in GRU advisory. | Joint advisory AA25-141A PDF (U.S. Department of War) |
Important caveat: the joint advisory explicitly warns that listed indicators may be compromised infrastructure, shared VPN/Tor exit nodes, or no longer actor-controlled—avoid over-blocking without validation. (U.S. Department of War)
Incident Response Guidance
Containment, eradication, and recovery (finance-tailored)
1) Immediate containment (first hours)
- Identity containment first: disable suspected accounts, revoke sessions/tokens, reset credentials, and freeze high-risk admin changes to stop T1078 and T1528 abuse.
- Payment/fraud containment: implement rapid payment holds, step-up verification for beneficiary changes, and activate mule-account escalation pathways; align with PSR/UK Finance fraud focus and reimbursement reality. (PSR)
- Supplier containment: if third parties are involved (data vendors, fintech partners), initiate contractual incident procedures, secure evidence-sharing, and agree comms sequencing—consistent with UK regulators’ systemic focus on critical third-party disruption. (Bank of England)
2) Investigation and eradication
- Validate whether the incident is data exposure, identity compromise, or destructive impact (ransomware, sabotage). The NCSC notes extortion may occur without encryption; don’t assume “no encryption” equals “lower severity”. (NCSC)
- Hunt for mailbox-based persistence and token abuse (mailbox rule creation, unusual permission changes, OAuth refresh anomalies), informed by NCSC AUTHENTIC ANTICS artefact guidance. (NCSC)
- Validate whether any support/service desk channels were abused or bribed (as reported in the Coinbase case) and isolate affected workflows. (Reuters)
3) Recovery and resilience
- Restore services with controlled change and monitored rollback, incorporating lessons from systemic tooling failures (e.g., security agent updates impacting Windows stability). (CrowdStrike)
- Execute customer harm remediation: fraud refunds, credit monitoring where appropriate, and proactive scam warnings if identity data was exposed.
Operational communications (customers, regulators, and cross-border disclosure)
- UK resilience expectations: ensure board visibility and evidence that important business services remain within impact tolerances under severe but plausible scenarios (transition deadline messaging from FCA). (FCA)
- US disclosure/notification: if in scope, align to SEC material incident disclosure timelines and US banking regulator 36-hour notification requirements. (SEC)
- Sanctions-aware ransomware decisioning: ensure legal review of payment pathways and sanctions exposure consistent with OFAC guidance and any UK policy evolution. (OFAC)
Forensic artefacts to preserve (minimum set)
- Identity provider audit logs, MFA enrolment/reset events, conditional access logs, and token issuance/revocation records.
- Mailbox audit logs, inbox rule creation/modification, mailbox permission change logs, and sign-in telemetry for executives/treasury teams.
- EDR telemetry around persistence mechanisms (scheduled tasks, COM hijack artefacts, suspicious Outlook DLL loads), including the specific registry artefacts described by NCSC for AUTHENTIC ANTICS. (NCSC)
- Payment application logs covering payee changes, payment initiation, approvals, and override events (with chain-of-custody).
Mitigation Recommendations (Prioritised)
The following priorities are designed to meet UK operational resilience expectations (important business services, impact tolerances, mapping/testing), anticipate EU DORA influences for cross-border groups, and address the identity- and supplier-driven reality of recent incidents. (Bank of England)
- Phishing-resistant MFA and strong identity assurance for all privileged roles and high-risk business functions (treasury/payments, service desk, market ops).
- Token governance: enforce short-lived tokens where possible, monitor refresh token abuse, and implement rapid tenant-wide session revocation for incident containment (explicitly relevant to OAuth token theft described by NCSC). (NCSC)
- Service desk hardening: introduce strict verification for credential resets, enforce call-back controls, and monitor for coercion/bribery patterns (informed by reported support-role abuse patterns). (Reuters)
- Payment journey controls: step-up verification for new payees and high-risk transfers; delay-and-confirm mechanisms; and tighter beneficiary change governance aligned to PSR reimbursement realities. (PSR)
- Operational resilience mapping to supplier dependencies: include identity providers, endpoint security platforms, market data/auction platforms, and fintech processors in service maps and scenario tests. (FCA)
- Supplier governance uplift (CTP/DORA-style): breach notification SLAs, evidence-sharing clauses, assurance testing, and concentration risk monitoring—aligned to UK CTP regime direction. (Bank of England)
- Controlled change for systemic tooling (EDR, endpoint agents, SSO): staged rollouts, canarying, and tested rollback to reduce outage blast radius (CrowdStrike outage lessons). (CrowdStrike)
- Mailbox and collaboration protection: disable unauthorised auto-forwarding, monitor mailbox permission changes, and enforce privileged access to mail admin functions.
- Segmentation and tiering: isolate payment initiation and settlement systems from general corporate IT; ensure admin paths are separate and monitored.
- Backups and recovery engineering: immutable backups, offline recovery paths, and tabletop exercises for ransomware/extortion including “no-encrypt” scenarios. (NCSC)
- DDoS readiness: upstream protections, rate-limiting for APIs and customer portals, and tested incident playbooks consistent with NCSC warnings on hacktivist DoS. (NCSC)
- Market infrastructure contingency: validate alternative processes for auctions/market data access where concentrated dependencies exist (Bloomberg outage lessons). (Reuters)
- Threat-led testing: use TIBER-style red teaming and threat intelligence-led exercises to validate end-to-end resilience in critical services. (European Central Bank)
- Cross-border playbooks: pre-map regulatory notification/disclosure triggers (UK, EU, US) and sanctions/legal decision paths for ransomware. (SEC)
- Fraud/cyber fusion: integrate SOC and financial crime operations to rapidly translate cyber telemetry into payment holds and scam interdiction, reflecting the scale of UK fraud losses. (UK Finance)
Future Outlook (12–24 Months)
Over the next 12–24 months, UK financial organisations should expect continued shift toward identity compromise and session theft as the dominant intrusion path, with stealthier cloud-native persistence (token abuse, mailbox manipulation) reducing reliance on traditional malware C2—consistent with patterns described in NCSC malware reporting. (NCSC)
Extortion without encryption is likely to expand because it can produce leverage while reducing operational friction for attackers; the NCSC has already highlighted this trend direction in its ransomware commentary. (NCSC)
Geopolitics-driven DDoS peaks are likely to continue, especially around crisis events and sanction cycles, with the NCSC continuing to warn of Russian-aligned hacktivist activity and ENISA documenting DDoS peaks linked to geopolitical events in finance. (NCSC)
Critical third-party oversight will tighten: UK CTP oversight and EU DORA implementation will further raise the minimum standard for supplier resilience evidence, incident reporting discipline, and concentration risk management—pushing firms to treat supplier outages and compromises as systemic scenarios, not vendor issues. (Bank of England)
Finally, incidents will increasingly concentrate in “financial plumbing” (terminals, data providers, auction infrastructure, and shared security tooling), because these nodes represent high-leverage points where disruption can affect many firms simultaneously—as shown by Bloomberg terminal disruption and the global endpoint tooling outage. (Reuters)
Further Reading
Regulators & Frameworks (UK)
- Bank of England: Operational resilience of the financial sector (Bank of England)
- PRA Supervisory Statement SS1/21: Operational resilience impact tolerances (Bank of England)
- FCA PS21/3: Building operational resilience (FCA)
- FCA: Operational resilience insights and observations (31 March 2025 transition deadline) (FCA)
- PSR PS24/7: Faster Payments APP scams reimbursement maximum level (from 7 Oct 2024) (PSR)
- NCSC Annual Review 2024 (NCSC)
- NCSC warning: hacktivist groups disrupting UK organisations (Jan 2026) (NCSC)
EU
- EU DORA (Regulation (EU) 2022/2554) – consolidated PDF (EUR-Lex)
- European Commission overview: NIS2 Directive and transposition deadline (Digital Strategy EU)
- ECB: TIBER-EU framework (European Central Bank)
- ENISA: Finance Sector Threat Landscape (Finance TL 2024) (ENISA)
US
- SEC Final Rule (Release 33-11216): Cybersecurity incident disclosure requirements (SEC)
- OCC Bulletin 2021-55: 36-hour incident notification rule (OCC.gov)
- FDIC FIL-74-2021: Incident notification requirements (FDIC)
- OFAC Updated Advisory (Sep 2021): Sanctions risks for facilitating ransomware payments (OFAC)
Threat Landscape Reports and Geopolitical Context
- NCSC Malware Analysis Report: AUTHENTIC ANTICS (NCSC)
- Joint advisory AA25-141A PDF: Russian GRU targeting logistics and technology entities (U.S. Department of War)
- Chainalysis: $2.2bn stolen in crypto in 2024; DPRK-linked $1.34bn in 2024 (Chainalysis)
Notable Incidents (selected)
- Santander statement on third-party hosted database access (14 May 2024) (santander.com)
- Reuters: Evolve Bank confirms cyber attack and data breach (26 Jun 2024) (Reuters)
- Reuters: Bloomberg terminal outage delayed UK gilt sale (21 May 2025) (Reuters)
- Reuters: OCC executives’ emails hacked (8 Apr 2025) (Reuters)