If it seems like financial services face more cloud-based cyberattacks daily, that’s because they’re using and pushing applications to the cloud more often, according to CrowdStrike’s field CTO for the Americas.
Cristian Rodriguez says these cyberattacks tend to start with stolen credentials or identities, allowing adversaries to simply log in and leading to some major data exfiltration events, the deployment of malware or ransomware, and even the use of cloud infrastructure for command and control communications.
Sometimes the crime, nation-state or hacktivist groups committing these attacks acquire the credentials used to access the cloud from access brokers, resulting in a 26% increase in finance sector intrusions in 2024, according to the CrowdStrike 2025 Threat Hunting Report. Nation-state activity in the finance sector increased about 80%, Rodriguez says, with their interest primarily in understanding mergers, acquisitions and financial trends, and using data for economic gain and geopolitical campaigns. That includes Genesis Panda.
“Over the past year alone, there's been a 40% increase in cloud intrusions that we’ve attributed to China-Nexus adversaries like Genesis Panada,” Rodriguez says.
Click the banner below to start implementing smarter security.
Assessing Burgeoning Threats to the Financial Sector and Cloud
Genesis Panda understands how to navigate the cloud control plane and take advantage of misconfigurations, often at points in hybrid IT environments where cloud and on-premises infrastructure meet. For this reason, financial services must stay engaged with their security vendors about the latest threat actors, indicators and configurations.
“Being engaged as a security team with your vendors, who provide these services, is a huge thing that you can do to make sure that you’re up to date and not just falling into a comfortable zone,” says Matt Immler, regional chief security officer for the Americas at Okta.
Okta’s Threat Intelligence Team has offered quarterly briefings for about two years. One of the biggest beneficiaries has been customer NASDAQ, which keeps its highly engaged security team on the cutting edge of what’s happening in the financial sector to protect its environment, Immler says.
These briefings are where financial services can learn about growing threats such as Scattered Spider, which often targets human elements, such as help desks, to access systems. The group is increasingly dabbling in the finance sector.
Wiper malware attacks — where data is permanently destroyed and systems are rendered inoperable, with recovery nearly impossible — are harder to quantify because the biggest perpetrator, China, is well aware of organizations’ operational security measures.
“When they’re laying the groundwork, they are trying to ensure that what they’re doing is going undetected for very long periods of time, so that they’re able to deploy it at a later date,” Immler says. “Actually being able to assess how embedded they are, and how prevalent it is, is a little harder.”
AI Makes Sense of Threat Intelligence, and Don't Forget Zero Trust
Financial services interested in beefing up their security tooling should start by gaining a better understanding of adversaries’ behavior and adopting a proper identity security capability around their cloud environments to prevent bad actors from moving laterally and identify the signs quickly, Rodriguez says.
Security teams also need the ability to stitch together threat intelligence, spot misconfigurations, and analyze cloud workloads and runtimes in real time. Probability algorithms and artificial intelligence are making this work easier and helping teams map vulnerabilities.
Click the banner below to sign up for the BizTech newsletter for weekly updates.
While zero-trust security is widespread in the finance sector, teams still need to continuously reevaluate cloud users’ level of access and multifactor authentication.
“We’re big believers in also applying those same types of zero-trust frameworks to the way you’re securing your cloud workloads and models,” Rodriguez says. “That means verifying identities in real time but also continuously verifying that the user is who they say they are by doing things like device posture assessments and assessments on privileges that are assigned to those users — and understanding things like impossible travel.”
