Cyberthieves are stealing money and information with continuedintensity and some devastating results. As a result, experts havewarned that credit unions and other financial institutions need toprotect their infrastructure like never before.

The Moscow-based security firm Kaspersky Lab made the biggestheadlines with details that revealed a cybercriminal gang calledCarpanac, made up of members from Russia, Ukraine and China,invaded up to 100 financial institutions internationally.

Kaspersky claimed the incursions, which began in 2013 and areapparently still ongoing, raided the firms for an estimated $1billion. The firm also said the attacks represented a new phase incybercrime where malicious users steal moneydirectly from financial institutions instead of targeting endusers.

In some cases, the group transferred money from the banks'accounts to their own, or instructed cash machines to dispense cashat pre-determined times. Kaspersky said on average, each theft tookplace over two to four months with as much as $10 million stolen ineach instance.

In a less headline-making but nevertheless worrisome report,Verisign released its Q3 2014 DDoS Trends Report that detailedobservations about distributed-denial-of-service attack mitigations conducted incooperation with Verisign DDoS Protection Services customers.

Notable observations included a rise in the average number ofattacks per customer, exploitation of recently-publicized SimpleService Discovery Protocol vulnerability and malicious code trendsthat likely contributed to increased DDoS assault activity.

What does this all mean and what can credit unions do to protectits assets from these attacks?

Shahryar Shaghaghi, a partner for management consulting firmKurt Salmon in its CIO Advisory Practice in New York, believed theCarpanac gang pointed to an uncomfortable reality.

“You will never stop the hackers from continually trying to getin. Hackers and bad guys look at the entire value chain and try toget to the weakest link. Every single exploit that happened in thisbreach has been through spear phishing,” said Jim Stickley, acybersecurity expert and CEO of Stickley on Security, a security education firm in SanDiego.

The gang started by sending emails to individuals in theorganization. Emails used in spear phishing typically haveattachments that look legitimate. It could be a Word document orPDF that appears to be safe to open because they arenon-executable. Someone unwittingly opening the attachmentcompromised the computer by activating the malware.

Carpanac slowly and methodically sent emails from onecompromised computer to another infecting more than 200 computers.This malware included surveillance capabilities and keystrokeloggers. Then they recorded everything that was going on in thesystems, Stickley explained. So, if a rep performed certainfunctions in a particular way, such as transferring funds, the ganglater just mimicked those operations.

“You cannot stop that with technology in most cases,” Stickleysaid. “It is going to require new technology that is not availableor else it is going to require true segmentation.”

While spear phishing seems like an easy intrusion toprotect against, just as disturbing is the ease the gang negotiatedinto areas containing critical information. Stickley cautioned whattook place was an incredible breach that should get the attentionof all financial institutions and regulatory bodies.

“To organizations that have not been compromised yet this shouldbe a gigantic wake-up call; they need to fully review who hasaccess to what and how their network infrastructure is designed,”Stickley advised.

If tellers, for example, use the same PC for internet and emailaccess and to pull up critical member data from the core system,that is a huge security threat. All it takes is for someone toreceive an email with a malicious attachment to compromise thatcomputer.

Anything that reps can access, the criminal now can access.Security officers will need to review which staff members mustabsolutely receive mail or go to any website.

That will be the start to eliminate that threat to reduce thespear-fishing risk and then you will see a much more segmentednetwork,” Stickley said.

This involves separating non-critical access from vitalinformation such as infrastructure, data, personal information, andaccess to ATM and can greatly reduce damage from compromisednetworks.

The truth is that organizations of every size are under siege.Hacking probes attack major financial institutions thousands oftimes per day but countless small and mid-sized organizations andfinancial institutions take hits across the U.S., sometimes as aresult of a breakdown along the value chains.

“Small, local breaches may not garner the same headlines, but theycan be just as damaging for smaller financial institutions likecredit unions,” a NAFCU report released in fall 2014 read. “A wide majority ofrespondents (84.4%) were impacted by a local data breach during thelast two years.”

Many perpetrators of DDoS attacks typically target banks, creditunions, and credit card payment gateways. Verisign's DDoS TrendsReport also noted the increase in frequency of DDoS attacksexceeding 10 gigabits in size, accounting for more than 20% of allmitigations, with the largest observed attack experienced by anE-commerce customer.

In its basic form, a DDoS attack causes internet-based serviceoutages by overloading network bandwidth or system resources.Perpetrators characteristically aim to disable a machine or networkresources to users. To date, DDoS attack motives have appeared morepolitically provoked than financially motivated, since thecyberassaults have not directly pilfered funds or sensitivepersonal information.

However, as in the Carpanac spear-phishing attacks, that mightnot always be the case. Some DDoS attempts might divert attentionor disable alerting systems in order to cover fraudulent activityfrom such account-takeover attacks. DDoS attacks against bitcoinexchanges appeared connected to thefts of the virtual coins. In the2014 bitcoin attack, hackers inserted bad code todisrupt the virtual currency programs.

Given the current tempo of technological evolution, it's evenmore important that credit unions become proactive rather thanreactive when it comes to cyberprotection, Shaghaghi said. It isincumbent upon every credit union today to step back and take anoverview of where it is in terms of cybersecurity.

Shaghaghi suggested some foundational and fundamentalprocedures. To fully understand the vulnerabilities, map out thebusiness process clearly in terms of the transactions that supportproducts and services. This includes the roles of people internallyand externally such as third-parties and embedded processes. Lookat holistic and cybersecurity strategy supported by a proper planin order to stay on top of this.

“[It] comes down to protecting the most valuable assets,protecting the core business,” Shaghaghi said.