At many banks, Nov. 5 will be a scary day. That’s when broad U.S. sanctions are set to be re-imposed on Iran, thereby placing new pressure on its struggling economy and increasing the regime’s desperation for hard currency. A crucial side effect of this effort has gotten too little attention: Iran will likely attempt to skirt these sanctions through cyber-enabled money laundering — and banks will be a prime target.
Cyber-enabled money laundering is a fairly simple concept. Hackers use a bank’s computer system to execute a prohibited financial transaction by altering critical information or disabling anti-money laundering controls. It’s effective because it’s subtle: One need only disguise the illicit purpose or sanctioned participant of an otherwise allowable transaction.
Iran certainly has the motive for such attacks. Faced with a weakening currency and a looming recession, it is increasingly desperate to sell oil and obtain dollars to support its currency, finance trade, and fund terrorist groups and proxy wars overseas. Adding to the pressure, recent efforts by the U.S. and the United Arab Emirates have made it harder for Iran to conduct illicit activity through Dubai, its traditional backdoor to the financial system.
Iran has also demonstrated the needed capabilities. Starting in 2011, it directed cyberattacks against dozens of U.S. banks, causing millions of dollars in lost business. More recently, its hackers stole at least 31 terabytes of documents and data from U.S. academic institutions, businesses, and government agencies, a theft valued at some $3.4 billion. Given the scale of its hard currency needs, Iran might seek help from other capable countries or criminal groups in conducting new attacks to evade sanctions.
The finance industry is largely unprepared for this kind of threat. In recent years, it has focused on preventing large-scale hacks like the one that diverted $81 million from Bangladesh Bank in 2016. Due to its boldness and scale, this attack has been the subject of dramatic press coverage and innumerable cybersecurity sessions at financial conferences. But the window for this type of hack is closing as banks and regulators invest in better technology, monitoring and training to prevent unauthorized transfers of funds.
Cyber-enabled money laundering isn’t yet on the radar in the same way, and it could prove harder to prevent. Hackers could subtly alter customer data to avoid sanctions-screening lists or exempt an account from the focused scrutiny that banks apply to clients from sanctioned countries. Bypassed controls at a bank’s far-flung branches represent a particular risk. Denmark’s largest lender, Danske Bank A/S, is facing civil penalties and possible criminal charges after its Estonian branch allegedly laundered as much as $235 billion on behalf of sanctioned Russians.
Financial institutions aren’t powerless against this threat. But they must commit themselves to continuous monitoring of account behavior, data integrity, employees and supply chains.
For starters, they should invest in software that establishes an internal distributed ledger system to record critical data, which could make manipulation more difficult. Layering such a system with “context-aware” security features that take into account factors such as location, historical behavior, and multifactor authentication before allowing access or changes can help block anomalous activity. A combination of such features could allow administrators to spot hackers before their system controls have been defeated.
A further concern is the manipulation of hardware, which can undermine even the most secure networks. Banks will need to audit their global supply chains to ensure the integrity of computers and network equipment. Storing data in secure clouds and accessing it through virtual desktops can minimize the amount of hardware that must be protected.
Yet even the most sophisticated security systems can be defeated by the people who use them. Hackers will continue to use phishing and similar attacks to target careless users. Realistic training coupled with ongoing testing of cybersecurity awareness is essential. An insider threat program that monitors employees with critical access is also vital.
Finally, better information sharing among banks, governments and academia would enable an attack against one institution to help inform all the others. An advisory issued by the Treasury Department on Oct. 11 detailing Iran’s efforts to abuse the international financial system is a good example.
The resumption of broad U.S. sanctions sets up a serious threat of cyber-enabled money laundering by Iran. But it may also be an opportunity for financial institutions to redouble their cybersecurity efforts to avoid being on the receiving end of new attacks, as well as serious penalties if they’re used to evade sanctions. Financial institutions need to act now to protect themselves, their customers and their countries.