Current (cyber) threat situation in Germany from the perspective of the Federal Office for the Protection of the Constitution
The FIRM Round Table (RT) Payments, which was established in 2022, focused on the in-depth topic of “Cyber Risks & Data Security” in 2024. The topic was identified at the outset as part of the holistic topic map and as one of the most relevant risks in payment transactions. It was then taken up further in 2023 as part of our discussions on operational resilience and our resulting white paper “Risk management and operational resilience in payments”[1]. Among other things, this raised questions & recommendations in connection with cyber risks and the possible strengthening of the operating model of banks and payment service providers. In the discussion with the institutions participating in the RT, recommendations for action included a better exchange on the risk and threat situation between the banks in order to coordinate potential risks, emergencies and threat scenarios in the industry, but also with other providers of critical infrastructure (such as the aviation industry or energy suppliers). In particular, the collective wish was also expressed to receive intelligence findings from German security authorities to assess current risks. We were able to fulfill this wish in 2024 with a highly interesting specialist presentation by the Federal Office for the Protection of the Constitution (BfV). We were able to attract two representatives from the fields of cyber and counterintelligence and prevention in business, science, politics and administration as speakers.
Federal Office for the Protection of the Constitution as a guest
The latter area acts as the BfV’s Single Point of Contact (SPOC) for the aforementioned target groups – and is therefore an excellent partner for FIRM with a similar three-part structure consisting of banks, universities and regulators, supported by corresponding consulting firms. Accordingly, the BfV also emphasizes the importance of a mutual exchange of relevant information.
If you want to understand the cyber threat situation, you inevitably have to look at the geopolitical situation in the world. Not surprisingly, the current major conflicts Russia/Ukraine and China/USA should be mentioned here, with other focus countries on the BfV radar such as Iran, North Korea and Syria. Many of these countries also use espionage as a means of “hybrid warfare”. In Europe, including Germany, global attacks from these critical countries are intensifying and spreading, whereby the targets can be multidimensional and include critical infrastructure as well as political institutions. In addition to targeted cyber attacks, freely available access to sensitive data (“open source”) is often enough.
The BfV would therefore like to sensitize its target groups to current attack vectors and promotes its existing information sources such as the “Security information for the economy”, the “Information sheets on economic protection” or the “Cyber-Brief” (provides concrete technical information – so-called “Indicators of Compromise”/IoC), all of which are also available at www.verfassungsschutz.de and are advertised via the X-channel @BfV_Bund (formerly Twitter).
Growing problem of cyber crime
In addition to espionage and sabotage, for which the BfV is responsible, cybercrime is also a growing problem. The motives and approaches of state and criminal actors can certainly overlap. These include financial motives (cryptocurrencies are playing an increasing role here), data encryption (e.g. via ransomware attacks), system overload (DDoS attacks), cyber espionage and sabotage), hack & leak or hack and publish (disinformation based on supposedly genuine information).
The RT participants were then given concrete examples of how to gain access to e.g. critical company structures/networks on the web (e.g. made possible by the mandatory requirement to publish various building data for new buildings). Ready-made instructions for spying can also be downloaded from the Internet and increasingly expanded and automated using artificial intelligence (AI). One of the biggest problems is finding out that your company has been hacked in the first place, as some of these accesses can only actually be exploited much later (“later moves”). Accordingly, all banks should continuously analyze their systems for unnoticed access (“backdoors”), unusual peaks in network traffic and blurred traces (using so-called “log cleaners”).
Preventive measures
As preventive measures, every company should ask itself the following questions: What company information is publicly available and how sensitive is this data? Are there any old websites or logs? How good is my advanced threat protection (patches, password hygiene, etc.)? What is the level of cyber awareness among employees (training)? Where can I possibly reduce risks with appropriate “data-saving measures” (e.g. omitting sensitive details about the company software used in job advertisements)?
At the end of our RT, there was a lively question-and-answer session with the participating banks, particularly on the relevance of the topic in payment transactions. Basically, the BfV sees potential targets: Online transactions, bank transfers (“grandchildren trick”), CEO fraud (increasingly supported by AI) and crypto. Politically motivated hackers are increasingly attacking companies that act in some way against the country in question from its perspective. It is advisable to run large-scale scans to identify preparatory actions (“pre-positioning”). DDoS attacks and targeted IoS are already a reality for banks. Of course, it is also important to keep an eye on the outsourcing and corresponding vendors used for payment transactions (“supply chain attacks”).
In view of the large number of participants and the many questions, the RT 2024 was a great success and there were already initial ideas for further discussion groups (at “tech level”) and perhaps joint crisis exercises.
Motivated by this positive feedback, the 3 RT coordinators listed below are already planning activities for next year. A further interview with all banks on the current status regarding non-financial risks in payment transactions, further specialist presentations (e.g. from a major foreign bank and/or a payment transaction service provider) and possibly an update on the digital euro in the fourth quarter are currently being considered.
If you have any feedback or requests regarding our previous planning for 2025, please feel free to contact us via the FIRM office.
[1] https://firm.fm/positionspapier-payments-veroeffentlicht/
