News and resources on cyber and physical threats to banks and fintechs worldwide.
European Banking Authority hit by cyber-attack

European Banking Authority hit by cyber-attack

The European Banking Authority (EBA) has taken all email systems offline after being hit by a cyber-attack targeting its Microsoft Exchange Servers.

Europe's top regulator is not the only body under attack, with multiple hacking groups acorss the world exploiting vulnerabilities to backdoor unpatched servers.

Microsoft issued emergency patches on Tuesday last week, but they do nothing to disinfect systems that are already compromised.

The EBA says that access to personal data through emails held on MS Exchange servers may have been obtained by the attacker. It is currently scrambling to identify what, if any, data was accessed.

"The Agency has launched a full investigation, in close cooperation with its ICT provider, a team of forensic experts and other relevant entities," it states. "Where appropriate, the EBA will provide information on measures that data subjects might take to mitigate possible adverse effects. As a precautionary measure, the EBA has decided to take its email systems offline."

In an update on the evolving situation, Microsoft says: "In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments."

Microsoft has attributed the attack to Hafnium, a state-sponsored hacking group operating out of China.

In an update published late Monday, the EBA states: "At this stage, the EBA email infrastructure has been secured and our analyses suggest that no data extraction has been performed and we have no indication to think that the breach has gone beyond our email servers."

Comments: (1)

Andrew Smith
Andrew Smith - RTGS & ClearBank - London 09 March, 2021, 11:021 like 1 like

Its interesting the case made by central banks and regulators for cyber security and resilience for commercial banks. Many have "buffers" added to their capital requirements because of perceived operational risk. How does this work for central banks? 

I am also a little shocked that we have functions like "email" still being on-premisis, dependent on an ICT provider (or internal IT personell) to secure, patch and mantain that system. Surely the EBA must be thinking of moving to Office 365 and utilising the capabiltieis of that Azure cloud based service to take advantage of the cyber security capabilities of the cloud and not on-prem..... ????