Cybersecurity in Wartime: Protecting Financial Infrastructure During Geopolitical Conflict

The Russian invasion of Ukraine on February 24, 2022, was the first major conflict with significant cyber dimensions. Ukrainian banks, government agencies, and critical infrastructure were targeted with DDoS attacks and destructive malware before and during the invasion. Financial services firms worldwide were put on high alert.

Geopolitical conflict creates unique cybersecurity challenges for financial services: increased threat activity, state-sponsored attackers targeting financial infrastructure, and the risk of collateral damage from cyber weapons. Financial institutions must prepare for these threats before conflict begins, not during.

Who Is This Guide For?

This guide is for CISOs, threat intelligence leads, and operational resilience officers at financial services firms. If you need to protect financial infrastructure during geopolitical conflict, this is for you.

By the End of This, You’ll Know…

• Why geopolitical conflict creates unique threats to financial services
• How to build threat intelligence capabilities that provide early warning
• The DDoS protection strategies that work against state-sponsored attacks
• How to maintain operations during sustained cyber attacks

Threat Landscape During Conflict

State-Sponsored Attacks

State-sponsored attackers target financial infrastructure for three reasons:

1. Economic disruption: Disrupting financial systems weakens the target country’s economy
2. Intelligence gathering: Financial transactions reveal economic activity and sanctions evasion
3. Retaliation: Financial institutions may be targeted in response to sanctions

Cyber Conflict Spillover

Financial services are at risk of collateral damage from cyber weapons:

• Wiper malware: Destructive malware (like WhisperGate and HermeticWiper) can spread beyond intended targets
• DDoS attacks: Distributed denial-of-service attacks targeting one organisation can impact shared infrastructure
• Supply chain attacks: Compromised software updates can affect any organisation using the affected software

During geopolitical conflict, the threat level for financial services increases by 300-500%. This is not speculation — it is measured by threat intelligence platforms during the Russia-Ukraine conflict.

Threat Intelligence

Sources

• Government advisories: CISA, NCSC, ANSSI (France), BSI (Germany) publish threat advisories during conflict
• Industry ISACs: Financial services Information Sharing and Analysis Centers (FS-ISAC) share threat intelligence across the industry
• Commercial threat intelligence: Recorded Future, Mandiant, CrowdStrike provide real-time threat intelligence
• Open-source intelligence: Security researcher blogs, social media, and underground forums

Actionable Intelligence

Threat intelligence is only useful if it drives action:

• Indicator of Compromise (IoC) feeds: Block known malicious IPs, domains, and file hashes
• Tactical intelligence: Update detection rules based on observed attack patterns
• Strategic intelligence: Adjust security posture based on threat actor capabilities and intentions

DDoS Protection

Architecture

State-sponsored DDoS attacks can generate 1-10 Tbps of traffic. Protection requires:

• CDN-based protection: Cloudflare, Akamai, or AWS Shield absorb traffic before it reaches your infrastructure
• Anycast routing: Distribute traffic across multiple data centres to prevent concentration
• Rate limiting: Limit request rates per source IP to prevent application-layer attacks
• Geographic filtering: Block traffic from regions not relevant to your business during conflict

Response Plan

• Detection: Monitor traffic patterns for anomalies (sudden spikes, unusual geographic distribution)
• Mitigation: Activate DDoS protection service (Cloudflare, Akamai)
• Communication: Notify customers and partners of potential service degradation
• Recovery: Resume normal operations after attack subsides

Operational Resilience

Business Continuity

During conflict, business continuity plans must account for:

• Reduced workforce: Some employees may be unable to work due to displacement or infrastructure damage
• Infrastructure disruption: Cloud providers, internet service providers, and telecommunications may be disrupted
• Regulatory requirements: Regulators may impose additional reporting requirements during crisis

Communication

• Internal communication: Ensure employees can communicate during infrastructure disruption (WhatsApp, Signal, satellite phones)
• Customer communication: Provide regular updates on service availability
• Regulatory communication: Proactively communicate with regulators about operational status

What You Can Actually Use Today

• Cloudflare DDoS Protection: CDN-based DDoS mitigation with state-sponsored attack protection
• AWS Shield Advanced: DDoS protection for AWS-hosted applications
• Akamai Prolexic: Enterprise DDoS protection with scrubbing centres
• FS-ISAC: Financial services threat intelligence sharing

FAQ

How do we prepare for conflict-related cyber attacks?

Preparation includes: (1) threat intelligence monitoring, (2) DDoS protection activation, (3) incident response plan review, (4) backup and recovery testing, (5) communication plan testing. Start 6-12 months before potential conflict.

What is the most common attack during geopolitical conflict?

DDoS attacks are the most common (70% of conflict-related attacks), followed by destructive malware (20%) and espionage (10%). DDoS is the easiest to execute and the most visible.

How long do conflict-related cyber campaigns last?

Active campaigns typically last 2-6 months, but preparatory activity (reconnaissance, pre-positioning) can begin 6-12 months before the conflict. Post-conflict, threat activity remains elevated for 6-12 months.

We help financial services firms prepare for and respond to geopolitical cyber threats. If you need to strengthen your operational resilience, get in touch.