Ransomware and Geopolitics – Impact to AML

THE WEBINAR HAS STARTED

All shared material will appear in the middle of your Zoom console.

If you’re unable to hear the webinar audio hover over the bottom of your Zoom meeting screen to make the meeting
toolbar visible.

By default, all attendees are muted on a webinar and can’t speak with panelists, other attendees.

If the far-left icon is a headset labeled Join Audio then you have not yet connected your audio.

Click the Join Audio headset icon and select either the Phone Call tab to join by phone or the Computer Audio tab to join by
computer. If joining by phone be sure to use the dial-in phone number, Meeting ID and Participant ID given on the Phone
Call tab.
 THE WEBINAR HAS STARTED
When your audio has been connected by phone the far-left icon will change to a handset labeled Mute. If joining by
computer you can click the Test speaker and microphone link from the Computer Audio tab to run a helpful wizard to be
sure you are using the intended speaker and microphone devices on your computer. When your audio has been connected
by computer the far-left icon will change to a microphone labeled Mute. You can click the arrow next to the microphone
icon to re-test or change your computer audio settings.

ACAMS events are enhanced by your participation. Please submit questions by clicking on the Q&A button
 SPEAKERS
Michelle Farr
MPA, MSMIT, CISM,
GRCP
BAE Systems: US Lead,
Enterprise Security
Michelle Farr is a senior security executive with
extensive industry, government and military
experience.
Former Senior Advisor to the Director of National
Intelligence (DNI) for HUMINT and Deputy
Assistant Administrator for Intelligence at TSA.
Michelle has over 20 years experience working
security, intelligence and risk activities.
Doug McCalmont
CAMS, CGSS
BAE Systems: AML
Solutions Consultant,
Blockchain SME
Doug is a former AML Compliance Officer for
a major Boston-based asset management
firm and active in the cryptocurrency space
since 2013
In 2017 Doug established a blockchain
consulting firm advising non-profit
organizations on their adoption of blockchain
conventions to improve their global
efficiencies.
 LEARNING OBJECTIVES
• How asymmetric warfare impacts AML in 2020
• How cybersecurity officials are becoming more involved in legacy AML
programs
• Understanding the Advanced Persistent Threat (APT) in Financial systems
• See the sophistication and the merging of cyber and cryptocurrency
conventions
• An understanding and appreciation of recent geopolitical cyber and
cryptocurrency initiatives and how they have an immediate impact on AML
programs worldwide
• Why OFACs decision to add crypto-wallet addresses was so revolutionary and
timely
 AGENDA
• BAE Systems Applied Intelligence
• Recent Geopolitical Events
• Threat Actors: APT Groups
• Hackers: Banks and Crypto
• Adversary Tactics – Simple and Effective
• Learning from the mistakes of Venezuela
• Merging of Cyber and Crypto conventions
• OFAC/DoJ recognition
• Defensive Measures
• Preparation and Response
 BAE SYSTEMS APPLIED INTELLIGENCE MISSION
Protect Nation States &
Citizens
Intelligence, analytics & national cyber
defence

Intelligence
mission

Nation state scale

operations

EXPERTISE Defend Businesses

Fight Criminal & Against
Criminal typologies Attacker tradecraft
Terrorist Financing Cyber Threats
Financial crime Operating
operations environment Security operations, advisory
Counter-fraud & financial crime &
solutions threat intelligence services
BAE SYSTEMS: GLOBAL CYBER SECURITY EXPERTISE
Our Threat
Our Signatures
We deliver Intelligence
database has
Threat We track over team consists of
over 75K active
Intelligence to 130 threat 40 experts
entries, with 2K
customers in 30 groups globally globally
new entries
locations and 4 supporting
added per month
continents customers
(May 2019)
locally

“Of the APT-

related network
indicators that Endorsed by 30 experienced
overlapped with National incident
other threat Counterintellige Certified by responders
intelligence nce and Security CREST operating from
providers, over Center (NCSC) to bases in UK, US,
75% were reported handle serious Malaysia and
first (or cyber-attacks Australia
simultaneously) by
BAE Systems”
SPOTLIGHT: IRAN
 RECENT GEOPOLITICAL EVENTS
• 02 Jan 2020 - General Qassem Soleimani, commander of the
IRGC’s Quds Force killed in Iraq by a US targeted strike.
• 06 Jan 2020 – US Warns of Iranian Cyber Threat
• 09 Jan 2020 – Iranian Hackers “Password Spraying” the US
Grid
• 16 Jan 2020 – National Security experts said attacks by Iran
are a “certainty”

There are fears that Iran may yet target U.S or allies military installations, financial infrastructure, electrical
grid, and academic institutions through cyber attacks.

BAE Systems Threat Intelligence has seen Iranian threat group activity targeting U.S. organizations over the
last year, but no particular spike since the Soleimani attack.
 THREAT ACTORS: APT GROUPS
• APT 33 (Magnallium, Refined Kitten, Elfin, Alibaba)
• APT 34 (OilRig, Helix Kitten)
• APT 35 (Magic Hound, Rocket Kitten)
• APT 39 (Remix Kitten, Chafer)
• Static Kitten (MuddyWater)

Probable Iranian Cyber tactics in response to geopolitical tensions: DDOS,

Ransomware, Wiper, Website defacements or other targeted intrusion
2018-2019 – KNOWN INTRUSIONS (PUBLIC)
 HACKERS: BANKS AND CRYPTO
• Iran has targeted several top tier banks globally
• 2012 – Ababil - Iran hacker groups ran a series of successful DDOS attacks against
US Banks
• 2019 –US Govt reported a “recent rise” of malicious cyber activity from Iran –
infiltrating banks, government agencies and other industry sectors
• Evading sanctions and funding illicit activities (and more) means Iran and similar
actors turn to digital crypto currencies
– buy and sell illicit goods and services, through the Internet black markets
– create opportunities to hack digital exchanges and e-wallets for purposes of
financial fraud and identity theft
 TACTICS – SIMPLE AND EFFECTIVE
• DDOS was the preferred weapon of Iran (2012)
• BEC/Phishing/Spearphishing
• Basic banking trojans (2015)
• Ransomware (2018 +)
• Password Spray
• SSH attacks
• VPN exploits
• Website defacements Source: Newsweek

Listing of TTPs used by APT groups on MITRE ATT&CK

 LEARNING FROM THE MISTAKES OF VENEZUELA
• Iranian economy “hammered” by Western economic sanctions versus the extreme
levels of internal Venezuelan corruption
• Increased pressure on Iran to circumvent Western economic sanctions
• Like Venezuela, Iran can exploit inexpensive energy options
• Iran has an appreciation for a true decentralized currency versus the Venezuelan
Petro that was centralized within the Venezuelan Government
• Iranian Government encouraging internal cryptocurrency development and
creation/usage
• Iran doesn’t seem to be rushing to establish a Central Bank Digital Currency (CBDC)
demonstrating a more strategic approach
 Merging of Cyber and Crypto Conventions

Source: Bitnodes.IO
MERGING OF CYBER AND CRYPTO CONVENTIONS
 OFAC/DoJ RECOGNITION
• Ali Khorashadizadeh and Mohammad Ghorbaniyan
added by OFAC to the SDN List
• Since 2013 these two residents of Tehran, Iran used
two wallet addresses to process more than 7,000
bitcoin transactions with more than 40 exchanges
including some in the US totaling over 6,000 bitcoins
(currently trading at $8,795 USD per unit)
• Faramarz Shahi Savandi and Mohammad Mehdi Shah
Mansouri two Iranian nationals indicted by the US
DoJ for the deployment of the SamSam ransomware
designed to extort funds (via cryptocurrencies) from
hospitals, local governments and other public
institutions
DEFENSIVE MEASURES
 PREPARATION AND RESPONSE
• Education and Awareness
• Ensure basic cyber hygiene:
– NIST CSF
– Patches, updates, encryption, email
protections, etc.
• Synch bank fraud operations with cyber
security and information technology plans
• Develop threat scenarios and test
• Exercise, exercise, exercise
 Cross-business
initiative with
over 2,000 global
members
 LEARNING OBJECTIVES
• How asymmetric warfare impacts AML in 2020
• How cybersecurity officials are becoming more involved in legacy AML
programs
• Understanding the Advanced Persistent Threat (APT) in Financial systems
• See the sophistication and the merging of cyber and cryptocurrency
conventions
• An understanding and appreciation of recent geopolitical cyber and
cryptocurrency initiatives and how they have an immediate impact on AML
programs worldwide
• Why OFACs decision to add crypto-wallet addresses was so revolutionary and
timely
 THANK YOU FOR JOINING US TODAY
We’d love to know what you think about today’s webinar. Please respond
to the polling questions on your screen.

A copy of the presentation can be downloaded by revisiting the LMS

webinar launch page.
CONVENIENT, ONLINE, MIXED-FORMAT TRAINING FOR COMPLIANCE TEAMS OF ALL SIZE RANGING
FROM EARLY TO INTERMEDIATE CAREER LEVEL

Virtual Currency
SAR/STR Writing AML Foundations Ethics
and Blockchain

Transaction Monitoring Anti-Bribery

Risk Assessment Fraud
- Intermediate and Corruption

Transaction Counter – Terrorist

Sanctions Compliance Investigations
Monitoring Financing

Trade – Based
KYC CDD - Intermediate Cyber – Enabled Crime KYC CDD
Money Laundering

• 4 hours of learning spread across 4 weeks • Convenient blend of live and self-paced training

• Participants who successfully complete the courses: • Written and presented by SMEs from in practice around the world
- Earn a certificate of achievement
- Earn 4 CAMS credits

www.acams.org/certificates
MEASURE,
UNDERSTAND
AND EXPLAIN
YOUR MONEY
LAUNDERING
RISK.
For more information visit
www.acamsriskassessment.com