European banks are preparing for an escalation of state-sponsored cyber attacks as Russia’s invasion of Ukraine unleashed a barrage of sanctions against the country’s largest financial firms.

Senior operational risk sources at a UK bank and a European Union bank says they expect Russia-backed hacking groups to conduct retaliatory cyber attacks on western financial infrastructure as global leaders applied asset freezes to local banking giants including Sberbank and VTB.

“I think everybody is paying attention to geopolitical and cyber risk at the moment,” says a senior op risk manager at a large UK bank. “I imagine that certain firms have playbooks, and they’re checking through their playbooks to make sure they are up to date.”

An op risk source at an EU bank says that cyber attack is just one threat stemming from rising political tension: “Geopolitical risk has a cyber element, but also supply chain and resilience elements, too.”

Cyber fears have escalated since Russian forces invaded Ukraine on the morning of February 24, attracting widespread condemnation and a barrage of sanctions from the US, EU, UK and other countries.

US president Joe Biden responded to the invasion by ramping up an initial tranche of restrictions with further curbs that would cut the country’s two largest banks—Sberbank and VTB—from processing payments through the US financial system. The two state-sponsored firms account for more than half of Russia’s banking system by asset value. Sanctions were also imposed on a further three banks—Otkritie, Novikom and Sovcom—that hold combined assets of $80 billion.

Debt and equity prohibitions were also placed on 11 large state-owned and private entities, including Gazprom, Transneft and Rostelecom, preventing the firms from raising money in US markets.

If you are sitting in a bank at the moment, you are likely to see an increase in phishing attacks as the cyber-security perimeter is stressed

Andrew Sheen, risk consultant

The UK government included VTB in a list of six Russian banks facing sanctions. EU foreign ministers were due to meet today (February 25) to approve a beefed-up sanctions package that already blacklists VEB and Rossiya Bank.

The events have information-security professionals on high alert.

“We regularly assess the geopolitical environment, and employ scenario analysis based on that,” says a source at a financial infrastructure firm.

The UK risk manager believes regulators have already spoken to a number of firms about the potential threat.

The Bank of England declined to comment.

Cyber attack is a real threat amid rising geopolitical tension, according to risk consultant Andrew Sheen: “I think firms have quite rightly identified the possibility that they might be subjected to cyber attacks due to international developments and will need to protect themselves.”

He adds that the threat may not only be limited to state-backed hacks: “You could also see criminal gangs trying to slip in under the radar, taking advantage of what state actors might be doing.”

“My guess is if you are sitting in a bank at the moment, you are likely to see an increase in phishing attacks as the cyber-security perimeter is stressed. You need to make sure your controls are as robust as ever, and you’d be wise to work on IT resilience, in case your systems go down.”

Early attempts to breach systems may already be under way. According to anti-virus company ESET, hundreds of computers in Ukraine were wiped on February 23 by a piece of malware.

Yiannis Pavlosoglou, founder of cyber-security consultancy Kiberna, warns that the attack required “permanent and persistence domain admin access”, and should serve as a warning for companies.

“It’s definitely going to get us thinking,” he says. “What if actually they’re already in?”

Pavlosoglou adds that information-security professionals should take note of the recent attack, evaluate their controls and remain in constant contact with government authorities.

“As a CISO [chief information security officer], it would be your responsibility to look out for indicators of anything that has the capability of a state-sponsored attack, and be able to swiftly escalate to the relevant parts of government,” he says. “There is no chance of dealing with that attack by yourself if the capability of the attacker is that of a nation state.”

The UK-based op risk manager agrees that “nation state threats tend to be much more difficult” to manage than run-of-the-mill attacks.

Cyber crime has been surging up the list of concerns for risk managers since state-sponsored Russian hackers manipulated IT monitoring software from third-party technology vendor SolarWinds in 2020. The security breach left thousands of clients, including US agencies and large technology firms, scrambling to patch their systems.

At the time, SolarWinds’ clients—including Credit Suisse, the Federal Reserve Bank of New York and Mastercard—remained tight-lipped over the impact of the hack and their response to it.

Conversely, an anticipated rise in cyber attacks could make firms less guarded over the impact and response to individual breaches, according to a second consultant: “Reputational risk from [cyber attacks] will actually drop as they become more commonplace and publicized.”

UK home secretary Priti Patel said on Twitter on February 24 that the Home Office would be “especially mindful of the potential for cyber attacks and disinformation emanating from Russia”.

“Be in no doubt there is work ongoing across government 24/7 to maximize our resilience to any such attacks, which would be met with a suitably robust response.”

The Russian financial sector was hit hard after the news of the invasion. Russia’s benchmark RTSI index closed down 39% on Thursday. Sberbank shares, traded on the London Stock Exchange, closed 67% down on the day. Credit default swaps referencing Russian sovereign debt widened from 428 basis points to 937bp on Thursday, according to data from IHS Markit.