Financial services organisations remain the most targeted sector for advanced persistent threat groups. The motivation is straightforward: that's where the money is. But the methods have grown significantly more sophisticated over the past 18 months, driven by three primary actors — Lazarus Group, Carbanak, and FIN7.
Lazarus Group: Nation-State Precision Against SWIFT
Lazarus Group, attributed to the DPRK, has shifted focus from opportunistic ransomware toward targeted SWIFT system compromise. Their 2024 campaign against Southeast Asian financial institutions demonstrated a patient, multi-phase approach: initial access via spear-phishing targeting treasury operations staff, lateral movement using living-off-the-land techniques to avoid EDR detection, and a dwell time averaging 47 days before any SWIFT interaction.
The group has invested heavily in SWIFT-specific knowledge. Their tooling now includes custom modules designed to manipulate SWIFT Alliance Access software, and they have demonstrated the ability to suppress transaction logs in real time — significantly complicating forensic investigation.
Carbanak: Insider Knowledge, Systematic Fraud
Carbanak's operational model is unique in its patience. Where most threat actors seek rapid exfiltration, Carbanak embeds within banking networks for months — studying internal processes, identifying which transaction approval workflows can be manipulated, and understanding the human patterns behind authorisation controls.
In engagements where we simulate Carbanak TTPs, the most consistent finding is that internal monitoring fails to detect anomalous privileged account activity when that activity mirrors legitimate behaviour patterns. Carbanak has essentially learned to impersonate the bank's own internal operations team.
FIN7: Evolving Beyond POS — Into Cloud and API Targeting
FIN7 has made a notable pivot in the past 12 months, moving from point-of-sale malware toward cloud infrastructure compromise and API exploitation. Their current playbook targets poorly secured cloud storage containing transaction data, and uses compromised API credentials to initiate fraudulent transfers through legitimate banking APIs — making detection significantly harder than traditional wire fraud.
In one disclosed case, FIN7 leveraged an over-permissioned service account in Azure to access a financial institution's payment processing API. The initial compromise originated from a third-party vendor — a classic supply chain entry point that bypassed perimeter controls entirely.
What Defenders Can Do
The most effective controls we observe against these three actor groups are not necessarily the most expensive. Privileged Access Workstations for SWIFT operators, strict API key rotation policies, and out-of-band transaction verification for high-value transfers address the majority of observed attack paths.
More critically: the detection gaps we exploit during adversary simulation engagements are almost never technical failures. They are gaps in monitoring coverage — specifically, a failure to baseline normal behaviour for privileged accounts and to alert on deviations. Behavioural analytics, applied specifically to treasury and payment operations staff, closes more attack paths than additional perimeter tooling.